Google SSO

Overview

KubeSense supports single sign-on (SSO) authentication through Google Workspace, enabling secure, passwordless access to your observability platform using your organization's Google credentials.

Prerequisites

Before setting up Google Workspace integration, ensure you have:

• Google Console account with Admin access
• KubeSense instance (self-hosted) with administrative access
• Your KubeSense instance URL (e.g., https://kubesense.example.com)

Step 1: Create OAuth 2.0 Credentials in Google Cloud

1. Visit the Google Cloud Console → APIs & Services → Credentials
2. Select or create a project for KubeSense
3. Click Create credentials → OAuth client ID
4. If prompted, configure the OAuth consent screen:
   • Choose Internal (for Google Workspace users only)
   • Fill in the required application information
   • Add scopes (openid, email, profile)
5. Select Web application as the application type
6. Add an Authorized redirect URI:

   https://<SELF_HOSTED_KUBESENSE_DOMAIN>/login

   Replace <SELF_HOSTED_KUBESENSE_DOMAIN> with your actual KubeSense domain (e.g., https://kubesense.example.com/login)
7. Click Create
8. Note the Client ID. You'll need these for KubeSense configuration

Step 2: Configure KubeSense for Google Authentication

Once you have obtained the Google Client ID and Client Secret, update your KubeSense values file:

1. Locate your KubeSense values file (typically values.yaml or your Helm values file)
2. Find or create the webapp: section
3. Add the Google authentication configuration:

webapp:
  google_auth:
    enabled: true
    client_id: <GOOGLE_CLIENT_ID>

Replace:

• <GOOGLE_CLIENT_ID> with the Client ID from Google Cloud Console

Example Configuration

webapp:
  google_auth:
    enabled: true
    client_id: 123456789-abcdefghijklmnop.apps.googleusercontent.com

4. Apply the configuration:
   • If using Helm: helm upgrade kubesense <chart> -f values.yaml
   • If using other deployment methods, follow your standard deployment process

Step 3: Verify OAuth Consent Screen Configuration

For production deployments, ensure your OAuth consent screen is properly configured:

1. Navigate to APIs & Services → OAuth consent screen in Google Cloud Console
2. Verify the following:
   • Application name: Your KubeSense application name
   • User support email: Your support email address
   • Authorized domains: Add your organization domain
   • Scopes: Ensure openid, email, and profile are included
3. For Internal apps: Only users in your Google Workspace can access
4. For External apps: You may need to verify your app and add test users during development

Verifying Integration

After configuring Google Workspace integration:

1. Test SSO Flow:

   • Navigate to your KubeSense URL
   • Click on the sign-in button
   • You should be redirected to Google sign-in page
   • After successful authentication, you should be redirected back to KubeSense

2. Check User Profile:

   • Verify that your user profile and email are correctly displayed in KubeSense
   • Confirm that you have appropriate access permissions

3. Test Logout:

   • Click logout from KubeSense
   • Verify that the session is terminated properly
   • Confirm that you're redirected to the login page

Best Practices

Security

• Use HTTPS: Always use HTTPS endpoints for redirect URIs in production
• Limit redirect URIs: Only register the exact URIs you need
• Regular audits: Periodically review OAuth credentials and permissions

Compliance

• Audit logs: Enable Google Workspace audit logs for compliance
• Data retention: Configure log retention policies according to requirements

Troubleshooting

Issue: Redirect URI mismatch

Symptoms: "redirect_uri_mismatch" error during authentication

Solution:

• Verify that the redirect URI in Google Cloud Console exactly matches https://<YOUR_KUBESENSE_DOMAIN>/login
• Check for trailing slashes, HTTP vs HTTPS, and case sensitivity
• Ensure there are no extra spaces or characters
• Verify the domain matches your actual KubeSense deployment URL

Issue: Invalid client credentials

Symptoms: "invalid_client" error during authentication

Solution:

• Verify that the Client ID in your KubeSense values file are correct
• Check for any typos or extra spaces in the configuration
• Ensure the credentials are from the correct Google Cloud project
• Verify that the OAuth client is enabled in Google Cloud Console

Issue: Access blocked

Symptoms: "access_denied" or "Access blocked" error

Solution:

• Check OAuth consent screen configuration
• Verify that your Google account has access to the application
• Check if your organization has restrictions on third-party app access

Issue: Cannot sign in with organization account

Symptoms: Authentication fails or "incompatible account type" error

Solution:

• Verify the OAuth consent screen is set to "Internal" for Google Workspace-only access
• Ensure users have accounts in the correct Google Workspace organization
• Check if multi-factor authentication (MFA) is required
• Verify that the user's email domain matches the authorized domains

Additional Configuration Options

Restrict Access by Domain

To restrict access to specific email domains:

1. In Google Cloud Console, go to OAuth consent screen
2. Under Authorized domains, add your organization's domain
3. Configure domain restrictions in your Google Workspace admin console if needed

Configure Token Lifecycle

For enhanced security, consider configuring token expiration:

1. Navigate to APIs & Services → Credentials in Google Cloud Console
2. Configure OAuth 2.0 client settings
3. Set appropriate token expiration times based on your security policies

Conclusion

Google Workspace integration provides enterprise-grade authentication for KubeSense, enabling your organization to use existing Google credentials for secure access. By properly configuring the OAuth 2.0 credentials, redirect URIs, and KubeSense values, you can provide a seamless authentication experience while maintaining security and compliance standards.