Pangolin Identity Providers¶
Even though I would recommend just setting up Authentik as an identity provider, I'll go over how to do Google as well.
How Identity Providers work¶
First I want to discuss how identity providers work in Pangolin because it's a little different then other services. For example, in Firebase, a single user may enable multiple identity providers to sign in. In Pangolin, every unique user/Idp provider is a unique user. So if someone does sign in with different identity providers, they are signing in as different users altogether, you'll see a row entry for each combo and can technically assign the entries different roles.
Adding Google directory to Pangolin¶
Sign into the google cloud console.
Click on your projects and click New Project.
In the Menu, Under APIs & Services, we need to set up Credentials and Oauth consent screen. Click on Oauth consent screen.
You'll need to provide and App name and a User support email.
In Credentials, hit Create Credentials -> OAuth client ID. You can call it Pangolin.
The redirect URL will be
Tip
Make sure to change 1 to the ID of the IdP. It's the first column of the table that lists your IdPs in Pangolin.
Copy the Client ID and Client Secret.
Back in Pangolin, go to the Google Identity Provider.
Past in the Client ID and Client Secret.
Authorization URL -> https://accounts.google.com/o/oauth2/v2/auth
Token URL -> https://oauth2.googleapis.com/token
The Challenge with using Google directory is the provisioning. Because unlike with Authentik, you can't manually create users for Google like you can with Authentik and then feel fine about using Auto Provisioning. So you would have to manually provision the users, but then you run into mapping issues from the response from google.
Let me explain further, the Identifier Path in the Token Configuration defaults to sub which is appropriate for IdPs because it provides its own unique UUID for that person. However, you don't know what this is beforehand, so it's difficult to provision the user ahead of time. This Identifier Path needs to return the same value that you give to the Username field in the Create User form in Pangolin. You CAN change the Identifier Path from sub to email and that will work. Just know that the username must be unique so you wouldn't be able to use the same email for other user/IdP combos.
Adding Authentik as IdP¶
Create an IdP in Pangolin and call it Authentik. It will tell you the redirect URL that you'll need to give to Authentik.
You need to create an Application and Provider in Authentik. You can do this on the Applications -> Applications route.
Set the name to Pangolin and slug pangolin.
The Provider will be Oauth2/OpenID.
For Authorization flow you can select default-provider-authorization-explicit-consent.
Client type -> Confidential.
Set the Redirect URI to Strict and paste in the URL provided by Pangolin.
Copy the Client ID and Client Secret. You'll need to paste these into Pangolin's config for the IdP.
Now that you have that set up, it's easier to enable Auto Provisioning.
Select Auto Provision Users.
Now go to Organization Policies.
Click Add Organization Policy.
The role mapping can be hard coded to an existing Role, like 'Member'. Or if you have a role as an Authentik group, you can do the following from the docs.
For the organization mappings, you should set an expression like
or use your organization id, assuming you creating an Authentik group with that. Congrats! Users created in Authentik will now automatically get added to your Pangolin organization.
Adding Google as IdP within Authentik¶
Go to Directory -> Federation and Social Login. Hit Create. Click on Google OAuth Source. You can give it the name Google with google as the slug. For the user matching I say Link to a user with identical email address. The consumer key and consumer secret are going to be the client ID and client secret from Google. For scopes, enter openid email profile. And then your done here.
Now go to Flows and Stages -> Flows. Lets edit the default-authentication-flow. Go to Stage Bindings, and click on the Edit Stage for the identification stage. In the Source settings, you can select Google. Now hit Update.
Custom Identification
If you don't want to edit the default-authentication-identification then create a Stage that is a clone of default-authentication-identification. Call it wilde-authentication-identification.
Now go to Flows and Stages -> Flows. Lets duplicate default-authentication-flow. I think it's good to just take a screen shot of the Stages and create a new authentication flow, you can add all the default stages to it for now. Call it wilde-authentication-flow. Expand the default-authentication-password stage, and you need to Bind existing policy, set Failure result to Pass. Your Flow Overview diagram should now look identical to the default-authentication-flow. Now just make sure you change the default-authentication-identification to wilde-authentication-identification, and you can now edit that stage, and add Google to the source settings.
Now, we'll want our application to use this particular authentication flow. Click on Applications -> Providers, edit, then go to Advanced flow settings and select your custom flow, wilde-authentication-flow.
Let's go ahead and disable Enrollment. Open up the Google settings in Directory -> Federation and Social Login, go to Flow Settings and blank out the Enrollment flow.