Identity Provider Integration Guide

Create a Google Cloud Project and Configure OAuth

Go to the Google Cloud Console.

• If you haven't already, create or select a project.

• Navigate to APIs & Services → OAuth consent screen.

  • Choose Internal (for Workspace users only).

  • Fill in application name, support email, and developer contact info.

• Save and continue.

Create OAuth2 Credentials

• Go to APIs & Services → Credentials → Create Credentials → OAuth client ID.

• Choose Web application.

• Add https://api.{NM_BASE_DOMAIN}/api/oauth/callback as an Authorized redirect URI.

• Save and copy Client ID and Client Secret.

Configure API Permissions

• Navigate to Google Cloud Console → APIs and services → Enabled APIs and services → Enable APIs and services.

• Search "Admin SDK API" and click Enable.

• Navigate to APIs and services → Credentials → Create credentials → Service account.

• Configure the service account details:

  • Name: Give the service account a meaningful name.

  • ID: Choose a unique ID for the service account.

  • Description: Provide a brief description outlining its purpose.

Set Permissions:

• Role: Assign the Service Account Token Creator role to this account.

This permission enables the service account to generate short-lived access tokens on behalf of other service accounts.

• Copy the service account email address.

• Create a service account key.

Steps to update the policy (if needed):

1. Switch to your Organization using the top-left dropdown in the Google Cloud Console.

2. Go to IAM & Admin → IAM and assign yourself the role mentioned above.

3. Disable the constraints/iam.disableServiceAccountKeyCreation constraint in the Organization Policies

Delegate Domain-wide Access

• Navigate to Admin Console → Security → Access and data control → API controls → Domain-wide delegate → Manage Domain-Wide Delegation.

• Add new and configure the Service Account client ID and the following scopes:

Grant Scopes in Admin Console

• Navigate to Admin Console → Account → Admin roles.

• Click Create new role.

• Configure role name and enable the following API privileges:

  • Groups → Read

  • Users → Read

• Once the role is created, click Assign Admin → Assign service accounts, and enter the email address of the service account we created.

Configure Netmaker

1. Navigate to the Netmaker Dashboard → Settings → Security & Authentication.

2. Click Integrate under Google Workspace.

3. Configure the OAuth Client ID and Client secret.

4. Enter the email of a Workspace admin for user/group access.

5. Upload the Service Account JSON file.

6. Optionally, configure synchronization. (By default, synchronization is enabled.)

7. Optionally, configure prefixes for users and groups to be synced from IdP. (By default, all users and groups are synced.)

8. Click Finish.

Create and Configure Microsoft Entra ID Application

• Log in to the Azure Portal.

• Select Microsoft Entra ID from the list of services.

• Click on + Add.

• Select App registration and fill in the form:

  • Name: Netmaker

  • Supported Account Types: Accounts in this organizational directory only (Default Directory only - Single tenant)

  • Platform: Web Application

  • Authorized redirect URI: https://api.{NM_BASE_DOMAIN}/api/oauth/callback

  Example: https://api.nm.167-172-115-84.nip.io/api/oauth/callback

• Click Register to create the application.

Grant API Permissions

• In your registered app, navigate to API permissions in the left-hand menu.

• Click + Add a permission:

  • Choose Microsoft Graph.

  • Select the Application permissions tab.

• Under Select permissions, add:

  • User.Read.All

  • Group.Read.All

• Click Add permissions.

• Grant admin consent by clicking Grant admin consent for Default Directory, then confirm by clicking Yes.

Generate a Client Secret

• Go to Certificates & secrets in the left-hand menu.

• Click + New client secret.

• Add a description (e.g., Netmaker) and click Add.

• Copy the Client Secret Value immediately — you’ll need this for Netmaker configuration.

Retrieve Application (Client) ID and Directory (Tenant) ID

• In the left-hand menu, select Overview.

• Copy the following values:

  • Application (Client) ID

  • Directory (Tenant) ID

Configure Synchronization Settings (Optional)

• Synchronization Interval: 24 hours (default)

• Groups to Synchronize:

  • By default, all groups are synchronized. To filter by prefix, specify the prefix (case-sensitive).

• Users to Synchronize:

  • By default, all users are synchronized. To filter by prefix, specify the prefix (case-sensitive)

Create and Configure Okta Application

• Log in to the Okta Admin Console.

• Navigate to Applications → Applications, then click Create App Integration.

• In the Create App Integration dialog:

  • Sign-in method: Select OIDC - OpenID Connect

  • Application type: Choose Web Application

• Fill in the application details:

  • App integration name: Netmaker

  • Sign-in redirect URIs: https://api.{NM_BASE_DOMAIN}/api/oauth/callback

• Click Save

Collect Application Credentials

• After saving, go to the app’s General tab and locate Client Credentials.

• Copy the following values:

  • Client ID

  • Client Secret

• Navigate to the Sign On tab:

  • Scroll to OpenID Connect ID Token

  • Click Edit

  • Change Issuer from Dynamic to Okta URL

  • Click Save

• Copy the Okta URL — this will serve as the Issuer URL in the Netmaker configuration.

Generate an API Token (Optional – For Sync)

• In the Okta Admin Console, go to Security → API → Tokens.

• Click Create token and fill out the form:

  • Name: Netmaker

  • API call origin: Select a suitable value based on your organization's policy. If unsure, choose Any IP.

• Click Create token

• Copy the token value immediately — this will be used for synchronization.

Register an OAuth Application in GitHub

• Go to GitHub Developer Settings.

• Under OAuth Apps, click New OAuth App.

• Fill in the form with the following values:

• Click Register Application.

Enter Client Credentials

• After registering the app, you will receive a Client ID and a Client Secret.

• In the Netmaker dashboard: Go to Settings → Security & Authentication.

• Choose GitHub as the provider, and enter the Client ID and Client Secret obtained from GitHub.

Register an OAuth Application in Your OIDC Provider

• Navigate to your OIDC provider’s application settings page.

• Find and select the option to add/register a new OAuth (OIDC) application.

• Fill in the application form with the following details:

• Complete the registration to generate the required credentials.

Enter Client Credentials

• Once your OIDC application is registered, make sure to note the following values:

  • Client ID

  • Client Secret

  • OIDC Issuer URL (e.g., https://corp.okta.com/oauth2/default)

• In the Netmaker dashboard: Go to Settings → Security & Authentication.

• Select OIDC as the provider.

• Enter the Client ID, Client Secret, and OIDC Issuer URL from your OIDC application.

Reference for OIDC: https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/openid_connect