SSO Integration
This page covers our SSO Integration support with information we need to setup SSO for your Galileo cluster.
Single Sign On
Galileo provides Single Sign-on capabilities for various providers using the OIDC protocol. See details below for how to configure each provider.
Provider | Integration |
---|---|
Okta | OIDC |
Azure Active Directory | OIDC |
PingFederate | OIDC |
OIDC | |
Github | OIDC |
Custom OIDC provider | OIDC |
If your provider is not listed above, additional SSO providers can be added on-demand as per requirements.
Setting Up SSO with Galileo
-
Follow this guide to set up OAuth credentials. User Type is Internal, Scopes are …/auth/userinfo.profile and openid, Authorized domains is your domain for Galileo console.
-
When creating new client ID, set type to Web application, set Authorized redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/google
-
Share Client ID and Client Secret with Galileo
Okta
-
Follow this guide to create a new application. Select OIDC - OpenID Connect as the Sign-in method, Web Application as the application type, Authorization Code as the Grant Type
-
Set Sign-in redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/okta
, and Sign-out redirect URIs tohttps://{CONSOLE_URL}
. -
Share Issuer URL, Client ID and Client Secret with Galileo
- Find Issuer URL in Security -> API in admin panel. Audience should be
api://default
- Find Issuer URL in Security -> API in admin panel. Audience should be
Microsoft Entra ID (formerly Azure Active Directory)
-
Follow this guide to create a new application. Under Redirect URI, set type to Web and URI to
https://{CONSOLE_URL}/api/auth/callback/azure-ad
-
Go to Token configuration page, Add Optional Claim, choose ID token and email claim.
- Please ensure each user has the email set in the Contact Information properties. We will use this email as the account on Galileo.
-
Go to Certificates & secrets page, click New Client Secret and create a new secret.
-
Share the Tenant ID, Client ID and Client Secret with Galileo
PingFederate
-
Follow this guide to create an application with Application Type OIDC Web App
-
Go to app configuration page, edit it by setting Redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/ping-federate
-
Share the Environment ID, Client ID and Client Secret with Galileo
Custom OIDC Provider
-
Create an application/client with OIDC as the protocol, Web Application as the application type, Authorization Code as the Grant Type
- Please ensure email claim is returned as part of the ID Token
-
Set Sign-in redirect URIs to
https://{CONSOLE_URL}/api/auth/callback/custom
, and Sign-out redirect URIs tohttps://{CONSOLE_URL}
, Web origins tohttps://{CONSOLE_URL}
-
Create a Client Secret
-
Share all these with Galileo:
- CLIENT_ID
- CLIENT_SECRET
- TOKEN_URL (like
https://{BASE_URL}/token
) - USERINFO_URL (like
https://{BASE_URL}/userinfo
) - ISSUER
- JWKS_URL (like
https://{BASE_URL}/certs
) - AUTHORIZATION_URL (like
https://{BASE_URL}/auth?response_type=code
)
Was this page helpful?