Identity Provider Integration Guide

IdP Integration – Technical implementation guide

Identity Provider Integration GuidesCopied!

All necessary configuration steps for each supported identity provider (Google, GitHub, OIDC, etc.) are provided in detail within each integration modal available under Settings → Security & Authentication. The setup process is simple and straightforward to follow.

Integrating Google WorkspaceCopied!

Prerequisites

Ensure you have a Google account with the following permissions:

Create or manage projects
Manage OAuth Credentials and Consent screen

If you do not have these permissions, please contact your Google Workspace administrator.

Step 1: Create a Google Cloud Project and Configure OAuth

Go to the Google Cloud Console.
If you haven't already, create or select a project.
Navigate to APIs & Services → OAuth consent screen.

a. Choose Internal (for Workspace users only).

b. Fill in application name, support email, and developer contact info.
Save and continue.

Step 2: Create OAuth2 Credentials

Go to APIs & Services → Credentials → Create Credentials → OAuth client ID.
Choose Web application.
Add https://api.{NM_BASE_DOMAIN}/api/oauth/callback as an Authorized redirect URI.
Save and copy Client ID and Client Secret.

Step 3: Configure API Permissions

Navigate to Google Cloud Console → APIs and services → Enabled APIs and services → Enable APIs and services.
Search "Admin SDK API" and click Enable.
Navigate to APIs and services → Credentials → Create credentials → Service account.
Configure the service account name and ID.
Copy the service account email address.
Create a service account key.

⚠️ Note:

Make sure the constraints/iam.disableServiceAccountKeyCreation policy is not enforced, as it's required for Netmaker to create Service Account keys.

If you have already created a Service Account, this constraint is likely already unenforced by default. However, it is recommended to verify the setting to avoid potential issues.

To adjust this policy, you need the following role:

roles/orgpolicy.policyAdmin

Note: This role can only be assigned at the organization level.

Steps to update the policy:

Switch to your Organization using the top-left dropdown in the Google Cloud Console.
Go to IAM & Admin → IAM and assign yourself the role mentioned above.
Disable the constraints/iam.disableServiceAccountKeyCreation constraint in the Organization Policies

If you do not have the required permissions, please contact your GCP Organization Administrator.

7. Assign Service Account Token Creator and Service Account User roles to the admin user and to self.

Step 4: Delegate Domain-wide Access

Navigate to Admin Console → Security → Access and data control → API controls → Domain-wide delegate → Manage Domain-Wide Delegation.
Add new and configure the Service Account client ID and following scopes:

a. https://www.googleapis.com/auth/admin.directory.group.readonly

b. https://www.googleapis.com/auth/admin.directory.group.member.readonly

c. https://www.googleapis.com/auth/admin.directory.user.readonly

Step 5: Grant Scopes in Admin Console

Navigate to Admin Console → Account → Admin roles.
Click Create new role.
Configure role name and enable the following API privileges.
1. Groups → Read.
2. Users → Read.
Once the role is created, click on Assign Admin → Assign service accounts, and enter the email address of the service account we created.

Step 6: Configure Netmaker

Navigate to the Netmaker Dashboard → Settings → Security & Authentication.
Click Integrate under Google Workspace.
Configure the OAuth Client ID and Client secret.
Configure the Google Admin email address.
Upload the Service Account JSON file.
Optionally, configure synchronization. (By default, synchronization is enabled.)
Optionally, configure prefixes for users and groups to be synced from IdP. (By default, all users and groups are synced.)
Click Finish.

Integrating Microsoft Entra ID (Azure AD)Copied!

Prerequisites

Ensure you have an Azure account with the following permissions:

Create Microsoft Entra ID apps
Manage Microsoft Entra ID apps

If you do not have these permissions, please contact your Azure administrator.

Step 1: Create and Configure Microsoft Entra ID Application

Log in to the Azure Portal.
Select Microsoft Entra ID from the list of services.
Click on + Add
Select App registration and fill in the form:

a. Name: Netmaker

b. Supported Account Types:
Accounts in this organizational directory only (Default Directory only - Single tenant)

c. Redirect URI:

d. Platform: Single-page application (SPA)

e. URI: [Enter your Netmaker callback URL]
Click Register to create the application.

Step 2: Grant API Permissions

In your registered app, navigate to API permissions in the left-hand menu.
Click + Add a permission:

a. Choose Microsoft Graph.

b. Select the Application permissions tab.
Under Select permissions, add:

a. User.Read.All

b. Group.Read.All
Click Add permissions.
Grant admin consent by clicking Grant admin consent for Default Directory, then confirm by clicking Yes.

Step 3: Generate a Client Secret

Go to Certificates & secrets in the left-hand menu.
Click + New client secret.
Add a description (e.g., Netmaker) and click Add.
Copy the Client Secret Value immediately — you’ll need this for Netmaker configuration.

Step 4: Retrieve Application (Client) ID and Directory (Tenant) ID

In the left-hand menu, select Overview.
Copy the following values:

a. Application (Client) ID

b. Directory (Tenant) ID

Step 5: Configure Synchronization Settings (Optional)

Synchronization Interval: 24 hours (default)
Groups to Synchronize:
By default, all groups are synchronized. To filter by prefix, specify the prefix (case-sensitive).
Users to Synchronize:
By default, all users are synchronized. To filter by prefix, specify the prefix (case-sensitive)

Integrating GitHubCopied!

Prerequisites

Ensure you have a GitHub account with the following permission:

Ability to register an OAuth application

Step 1: Register an OAuth Application in GitHub

Go to GitHub Developer Settings.
Under OAuth Apps, click New OAuth App.
Fill in the form with the following values:

Field	Value
Application Name	Netmaker
Homepage URL	`[Enter your Netmaker callback URL]` `e.g: https://dashboard.netmaker.io`
Application Description	Authorization for Netmaker
Authorization Callback URL	`[Enter your Netmaker callback URL]` `e.g: https://dashboard.netmaker.io/api/oauth/callback`

4. Click Register Application.

Step 2: Enter Client Credentials

After the app is registered, you will get:

a. Client ID

b. Client Secret
In the Netmaker dashboard:

a. Go to Settings → Security & Authentication.

b. Select GitHub as the provider.

c. Enter the Client ID and Client Secret from GitHub.

Integrating Generic OpenID (OIDC) ProviderCopied!

Prerequisites

Ensure you have the necessary permissions to register an OAuth (OIDC) application with your Identity Provider (IdP).

If you lack these permissions, please contact your IdP administrator.

Step 1: Register an OAuth Application in Your OIDC Provider

Navigate to your OIDC provider’s application settings page.
Find and select the option to add/register a new OAuth (OIDC) application.
Fill in the application form with the following details:

Field	Value
Application Name	Netmaker
Application Description	Authorization for Netmaker
Homepage URL / Authorized Origin	`[Enter your Netmaker callback URL]` `e.g: https://dashboard.netmaker.io`
Authorization Callback URL	`[Enter your Netmaker callback URL]` `e.g: https://dashboard.netmaker.io/api/oauth/callback`

4. Complete the registration to generate the required credentials.

Step 2: Enter Client Credentials

After successful registration, locate the following values in your OIDC application:

a. Client ID

b. Client Secret

c. OIDC Issuer URL (e.g., https://corp.okta.com/oauth2/default)
In the Netmaker dashboard:

a. Go to Settings → Security & Authentication.