Configure Google Apps SSO for Tanzu CloudHealth

Configure Tanzu CloudHealth to allow your Google Apps users to log in using their Google Apps account

If your company uses Google Apps, you can configure Tanzu CloudHealth to allow your Google Apps users to log in using their Google Apps account. Tanzu CloudHealth connects to Google Apps via the OAuth protocol. For more information, refer to Using OAuth 2.0 to Access Google APIs.

Tanzu CloudHealth does not support mixed-mode authentication. Once you configure SSO through Google Apps in the Tanzu CloudHealth platform, you can only invite users through that IdP. You will no longer be able to send user invitations through the Tanzu CloudHealth platform.

Step 1: Configure Google Apps Domain

Enable Admin API access for your domain and create Google Groups for each Tanzu CloudHealth role.

  1. Log in to the Google Apps admin control panel (cPanel) using an account that has super admin privileges. The cPanel for your domain can be accessed via https://admin.google.com
  2. Navigate to the Security page and click API Reference.
  3. Within the API Access section, enable Admin APIs by selecting the checkbox for Enable API access.

  4. Navigate to the Groups page. Add a group for each of the default Tanzu CloudHealth roles (Administrator, Power User, Standard).

    Note

    The group names are case-sensitive and must match those listed here.

    • cloudhealth-administrator
    • cloudhealth-power
    • cloudhealth-standard

    Once these groups have been created, you can dynamically add and remove users from { vars.product_name_short }} roles by adding or removing them from these groups.

Note

A user should only be a member of one Tanzu CloudHealth group. Users that do no belong to a group cannot access the Tanzu CloudHealth platform. Group membership changes take up to 24 hours to propagate through Google Apps.

Step 2: Create Google Groups for each Custom Tanzu CloudHealth Role 

Within Tanzu CloudHealth, custom roles can be defined. Each custom role within Tanzu CloudHealth is assigned an IDP name. The IDP Name is used when creating groups that map to roles in your identity provider. For more information on custom roles, see Creating Custom Role.

  1. Log in to the Google Apps admin control panel (cPanel) using an account that has super admin privileges. The cPanel for your domain can be accessed via https://admin.google.com
  2. Navigate to the Groups page
  3. Add a group for each of the custom Tanzu CloudHealth roles that you have defined. Please note that the name of the Google Group needs to be of the format cloudhealth-<IDP NAME>.

Step 3: Configure Google Apps SSO in Tanzu CloudHealth Platform

  1. In the Tanzu CloudHealth platform, select Setup > Admin > SSO Configuration.

  2. From the SSO Provider dropdown, select Google Apps and provide the following information:

    • Domains for SSO: Enter domain names in company.com format.
    • Default Organization: From the dropdown, select the organization to which all new users should be assigned.

  3. Click Update SSO Configuration. Click the link in the message to grant Tanzu CloudHealth access to your company directory.

Step 4: Configure Session Length for Users (Optional)

You can configure the session length for your users in the Tanzu CloudHealth platform. The default session length is Until the browser closes. However, the best practice is to specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.

  1. In the Tanzu CloudHealth platform, select Setup > Admin > Settings.
  2. On the Edit Customer tab, go to the Settings pane.
  3. Select a session length.
  4. Click Update Company Profile.
check-circle-line exclamation-circle-line close-line
Scroll to top icon