Our service portal - GCP Console SSO Integration

Getting advice
,
#1

Hi,

I’m gonna use Keycloak SSO to integrate accounts between our service and GCP (Google Cloud Platform).

Background

  1. User logins from our login page (not keycloak login page)
  2. keycloak verifies authentication
  3. If authenticated, needed to redirect to GCP console as logged in

Current State

  1. I’ve finished setting up SSO configuration both in Keycloak and GCP admin with SAML.

  2. Authentication from Keycloak login, it is well redirected to GCP console as logged in with keycloak login ID (There is a same ID on GCP)

  3. But login should be done from our service page, not from Keycloak login.
    So, tried to get access token by the script. I could get the access token from the below python code.
    (using Flask)

    res = requests.post(REQ_URL, auth=HTTPBasicAuth(name, pwd), headers=headers, data=data)
    res = json.loads(res.text)
    print(res)
    access_token = res[‘refresh_token’]

  4. But, I don’t know how to redirecting to GCP console with ACCESS TOKEN as logged in.
    Which URL should I take to redirect?
    As for OKta SSO, they’re providing GCP Console access(embedding) URL when finishing the SAML setup.

On Keycloak Setting
POST Binding URL: www.google.com/a/our-domain.com/acs

On GCP Admin
SAML: our-keycloak-domain.com/auth/realms/keycloak-aws/protocol/saml
Cert file is properly uploaded.

  • https:// is intentionally omitted in All URL, because more than two links are not allowed for new user.
#2

You are mixing it with OIDC. SSO SAML protocol doesn’t provide any token, it provides SAML response.

I would follow standard GCP doc first https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
You will see that your 1st requirement user logins from our login page (not keycloak login page) isn’t standard.

I’m not saying that is impossible, but it will require decent SAML protocol knowledge and hacking skills.

#3

Jan,

You’re right. I found that I was confused with OIDC.
As I logged in from keycloak login page, it redirects me to the below.

[https://{ourkeycloakserver.com}/auth/realms/{my-realm}/login-actions/authenticate?session_code=xxxxx&execution=yyyyy&client_id=my_client_id

So, I thought that Keycloak provides a way to access the service via SAML login and redirection API (as Okta provides access URI), but it seems not.

Thanks for your comments.