Single Sign On
Galileo provides Single Sign-on capabilities for various providers using the OIDC protocol. See details below for how to configure each provider.Provider | Integration |
---|---|
Okta | OIDC |
Azure Active Directory | OIDC |
PingFederate | OIDC |
OIDC | |
Github | OIDC |
Custom OIDC provider | OIDC |
Setting Up SSO with Galileo
- Follow this guide to set up OAuth credentials. User Type is Internal, Scopes are …/auth/userinfo.profile and openid, Authorized domains is your domain for Galileo console.
-
When creating new client ID, set type to Web application, set Authorized redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/google
- Share Client ID and Client Secret with Galileo
Okta
- Follow this guide to create a new application. Select OIDC - OpenID Connect as the Sign-in method, Web Application as the application type, Authorization Code as the Grant Type
-
Set Sign-in redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/okta
, and Sign-out redirect URIs tohttps://{CONSOLE_URL}
. -
Share Issuer URL, Client ID and Client Secret with Galileo
- Find Issuer URL in Security -> API in admin panel. Audience should be
api://default
- Find Issuer URL in Security -> API in admin panel. Audience should be
Microsoft Entra ID (formerly Azure Active Directory)
-
Follow this guide to create a new application. Under Redirect URI, set type to Web and URI to
https://{CONSOLE_URL}/api/auth/callback/azure-ad
-
Go to Token configuration page, Add Optional Claim, choose ID token and email claim.
- Please ensure each user has the email set in the Contact Information properties. We will use this email as the account on Galileo.
- Go to Certificates & secrets page, click New Client Secret and create a new secret.
- Share the Tenant ID, Client ID and Client Secret with Galileo
PingFederate
- Follow this guide to create an application with Application Type OIDC Web App
-
Go to app configuration page, edit it by setting Redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/custom
- Share the Environment ID, Client ID and Client Secret with Galileo
Custom OIDC Provider
-
Create an application/client with OIDC as the protocol, Web Application as the application type, Authorization Code as the Grant Type
- Please ensure email claim is returned as part of the ID Token
-
Set Sign-in redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/custom
, and Sign-out redirect URIs tohttps://{CONSOLE_URL}
, Web origins tohttps://{CONSOLE_URL}
- Create a Client Secret
-
Share all these with Galileo:
- CLIENT_ID
- CLIENT_SECRET
- TOKEN_URL (like
https://{BASE_URL}/token
) - USERINFO_URL (like
https://{BASE_URL}/userinfo
) - ISSUER
- JWKS_URL (like
https://{BASE_URL}/certs
) - AUTHORIZATION_URL (like
https://{BASE_URL}/auth?response_type=code
)