Enterprise Deployments
SSO Integration
This page covers our SSO Integration support with information we need to setup SSO for your Galileo cluster.
Single Sign On
Galileo provides Single Sign-on capabilities for various providers using the OIDC protocol. See details below for how to configure each provider.| Provider | Integration |
|---|---|
| Okta | OIDC |
| Azure Active Directory | OIDC |
| PingFederate | OIDC |
| OIDC | |
| Github | OIDC |
| Custom OIDC provider | OIDC |
Setting Up SSO with Galileo
- Follow this guide to set up OAuth credentials. User Type is Internal, Scopes are …/auth/userinfo.profile and openid, Authorized domains is your domain for Galileo console.
-
When creating new client ID, set type to Web application, set Authorized redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/google - Share Client ID and Client Secret with Galileo
Okta
- Follow this guide to create a new application. Select OIDC - OpenID Connect as the Sign-in method, Web Application as the application type, Authorization Code as the Grant Type
-
Set Sign-in redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/okta, and Sign-out redirect URIs tohttps://{CONSOLE_URL}. -
Share Issuer URL, Client ID and Client Secret with Galileo
- Find Issuer URL in Security -> API in admin panel. Audience should be
api://default
- Find Issuer URL in Security -> API in admin panel. Audience should be
Microsoft Entra ID (formerly Azure Active Directory)
-
Follow this guide to create a new application. Under Redirect URI, set type to Web and URI to
https://{CONSOLE_URL}/api/auth/callback/azure-ad -
Go to Token configuration page, Add Optional Claim, choose ID token and email claim.
- Please ensure each user has the email set in the Contact Information properties. We will use this email as the account on Galileo.
- Go to Certificates & secrets page, click New Client Secret and create a new secret.
- Share the Tenant ID, Client ID and Client Secret with Galileo
PingFederate
- Follow this guide to create an application with Application Type OIDC Web App
-
Go to app configuration page, edit it by setting Redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/custom - Share the Environment ID, Client ID and Client Secret with Galileo
Custom OIDC Provider
-
Create an application/client with OIDC as the protocol, Web Application as the application type, Authorization Code as the Grant Type
- Please ensure email claim is returned as part of the ID Token
-
Set Sign-in redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/custom, and Sign-out redirect URIs tohttps://{CONSOLE_URL}, Web origins tohttps://{CONSOLE_URL} - Create a Client Secret
-
Share all these with Galileo:
- CLIENT_ID
- CLIENT_SECRET
- TOKEN_URL (like
https://{BASE_URL}/token) - USERINFO_URL (like
https://{BASE_URL}/userinfo) - ISSUER
- JWKS_URL (like
https://{BASE_URL}/certs) - AUTHORIZATION_URL (like
https://{BASE_URL}/auth?response_type=code)