Google via Keycloak

Overview

This guide describes how to configure Google as an SSO identity provider in Keycloak for your SUSE Cloud Observability tenant.

The authentication flow is:

User -> Keycloak (identity broker) -> Google

Keycloak delegates authentication to Google and maps users to Keycloak roles. SUSE Cloud Observability then receives those roles from Keycloak through its standard integration.

Prerequisites

  • A SUSE Cloud Observability tenant with Advanced Keycloak management mode enabled — see User Management.

  • A Google Cloud project with access to the Google Cloud Console.

  • The Keycloak realm name and base URL (for example, https://keycloak.acme.com and realm acme).

Step 1: Create OAuth credentials in Google Cloud Console

  1. Go to the Google Cloud Console Credentials page.

  2. Click Create credentials > OAuth client ID.

  3. Select Web application as the application type.

  4. Set a name, for example Keycloak SSO.

  5. Under Authorized redirect URIs, add the Keycloak broker endpoint URL. You can find this URL in the Keycloak Admin Console by navigating to Identity Providers > Add provider > Google — the Redirect URI is shown at the top of the configuration page. It follows the pattern:

    https://<keycloak-host>/realms/<realm>/broker/google/endpoint

  6. Click Create.

  7. Note the Client ID and Client secret.

If you haven’t configured a consent screen for this project, Google will prompt you to do so. Configure the consent screen with at least the email, profile, and openid scopes.

For more details, see the Google documentation on creating OAuth credentials.

Step 2: Configure the identity provider in Keycloak

Keycloak includes a built-in Google identity provider that simplifies configuration.

  1. Sign in to the Keycloak Admin Console and select your realm.

  2. Navigate to Identity Providers > Add provider > Google.

  3. Configure the following settings:

    Setting Value

    Client ID

    The Client ID from Step 1.

    Client Secret

    The Client secret from Step 1.

    Default Scopes

    openid email profile

  4. Click Save.

  5. After saving, additional settings become available. Expand Advanced settings (or scroll down) and set Trust Email to On — this tells Keycloak to trust the email address provided by Google without requiring verification.

  6. Click Save again.

  7. Verify the provider appears on the Keycloak login page by opening your realm’s login URL in a browser.

For more details, see the Keycloak documentation on Google as an identity provider.

Step 3: Configure role mapping

Google doesn’t provide group claims in its standard OAuth tokens. There are several options for assigning Keycloak roles to Google-authenticated users:

Option A: Hardcoded role (simplest)

Assign a default Keycloak role to all users who authenticate through Google:

  1. Navigate to Identity Providers > google > Mappers > Add mapper.

  2. Set Mapper type to Hardcoded Role.

  3. Select the Keycloak role to assign to all Google users.

  4. Click Save.

This approach is suitable when all Google users should have the same level of access.

Option B: Manual group assignment in Keycloak

Assign Keycloak roles to individual users after their first login:

  1. After a user logs in with Google for the first time, their account is created in Keycloak.

  2. Navigate to Users in the Keycloak Admin Console, find the user.

  3. Go to the Role Mappings tab and assign the appropriate roles.

This approach is suitable for small teams where individual role assignment is manageable.

Option C: Google Workspace groups (advanced)

If you use Google Workspace, you can retrieve group memberships using the Google Admin SDK API:

  1. In the Google Cloud Console, enable the Admin SDK API.

  2. Grant the Keycloak service account domain-wide delegation to read group memberships.

  3. In Keycloak, configure a custom identity provider mapper to retrieve and map Google Workspace groups.

This approach requires additional configuration in both Google Workspace and Keycloak. See the Keycloak documentation for details on configuring Google Workspace group mappings.

Step 4: Verify the role mapping chain

The complete mapping chain is:

Google user -> Keycloak role -> SUSE Cloud Observability role

  1. Google users to Keycloak roles — Configured in Step 3 using one of the options above.

  2. Keycloak roles to SUSE Cloud Observability roles — Roles map through the predefined Keycloak groups (stackstate-k8s-troubleshooter, stackstate-k8s-admin). No additional SUSE Cloud Observability configuration is needed — the platform automatically maps Keycloak roles associated with these groups to the corresponding SUSE Cloud Observability roles.

To verify the full chain:

  1. Log in to SUSE Cloud Observability using a test user with a Google account.

  2. Confirm that the user is assigned the expected SUSE Cloud Observability role.

  3. If the user doesn’t have the correct role, check the Keycloak user’s role assignments and group memberships.

See also