Google Authentication

STEP 1

Create Loft Config For Google

Loft is able to use Google’s OpenID Connect provider as an authentication source.

To tell Loft to use Google for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

auth:
# Tell loft to use google authentication
google:
#
#
# REQUIRED CONFIGURATION
#
#
# ClientID for the google authentication. Can be string literal or pulled from the environment.
clientId: $CLIENTID
# ClientSecret for the google authentication. Can be string literal or pulled from the environment.
clientSecret: $CLIENTSECRET
# Callback URL in the form of https://your-loft-domain/auth/google/callback
redirectURI: https://loft.my.domain/auth/google/callback
#
#
# OPTIONAL CONFIGURATION
#
#
# (Optional) defaults to "profile" and "email"
scopes: ["profile", "email"]
# (Optional) list of whitelisted domains. If this field is nonempty,
# only users from a listed domain will be allowed to log in
hostedDomains: []
# (Optional) list of whitelisted groups. If this field is nonempty,
# only users from a listed group will be allowed to log in
groups: []
# (Optional) path to service account json. If nonempty,
# and groups claim is made, will use authentication from file to
# check groups with the admin directory api
serviceAccountFilePath: /path/to/service/account.json
# (Optional) Required if serviceAccountFilePath is set. The email of
# a GSuite super user which the service account will impersonate
# when listing groups
adminEmail: myuser@mydomain.com
# (Optional) Cluster Account Templates that will be automatically added for new users
# logging in through this authentication
clusterAccountTemplates:
# The name of the cluster account template
- name: my-cluster-account-template
sync: true
# (Optional) A mapping between groups and cluster account templates.
# If the user has a certain group, the cluster account template
# will be added during creation
groupClusterAccountTemplates:
# Name of the group from the token
- group: my-group
# Names of the cluster account templates to apply
clusterAccountTemplates:
- name: my-cluster-account-template
sync: true
STEP 2

Authenticate via Google

After saving the new Loft configuration, Loft will restart itself and you should be able to log in via Google.

STEP 3

Disable Username + Password Authentication (optional)

To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

auth:
oidc: ... # This is your SSO configuration (make sure this is working!)
password:
disabled: true # Disable password-based authentication