getOperate supports Single Sign-On for Microsoft, Google, GitHub, GitLab, Okta, and domain restriction.
We recommend using a private navigation tab to test the new settings as soon as they are saved by refreshing the login page as a non authed user.
Create Google OAuth keys
First, you need to create a Google OAuth Client:
https://<YOUR_INSTANCE>/user/login_callback/google
Superadmin Settings -> Instance Settings -> SSO -> Toggle “Google” -> set client id, org and client secret.
Redirect URI: https://<YOUR_INSTANCE>/user/login_callback/microsoft
Login: https://<YOUR_INSTANCE>/user/login
Create a new OAuth 2.0 Client in Microsoft portal.
In the “Authentication” tab, set the redirect URI to BASE_URL/user/login_callback/microsoft
, the logout channel to BASE_URL/auth/logout
where BASE_URL is what you configured as core BASE_URL. Also set “Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)”, you can restrict the emails directly in getOperate using the “allowed_domains” setting.
Superadmin Settings -> Instance Settings -> SSO -> Toggle “microsoft” -> set client id, org and client secret.
From your Admin page, setup getOperate using the service flow:
Create a new app integration
:For Refresh Token, select “Rotate token after every use”.
Under “LOGIN”, set the following:
https://<your getOperate's public hostname as configured in values.yaml>/user/login_callback/okta/
https://<your getOperate's public hostname as configured in values.yaml>
App Only
https://<your getOperate's public hostname as configured in values.yaml>/user/login
Superadmin Settings -> Instance Settings -> SSO -> Toggle “okta” -> set client id, org and client secret.
Redirect URI: https://<YOUR_INSTANCE>/user/login_callback/github
Login: https://<YOUR_INSTANCE>/user/login
Superadmin Settings -> Instance Settings -> SSO -> Toggle “github” -> set client id, org and client secret.
Redirect URI: https://<YOUR_INSTANCE>/user/login_callback/gitlab
Login: https://<YOUR_INSTANCE>/user/login
GitLab’s Single Sign-On integration is supported by getOperate. Detailed steps for setting up GitLab as an OAuth SSO provider will be provided in the upcoming documentation but the entry for the oauth.json is as following:
Superadmin Settings -> Instance Settings -> SSO -> Toggle “gitlab” -> set client id, org and client secret.
You can use other custom OAuths as resources using the “Add OAuth” button in: Superadmin Settings -> Instance Settings -> Resources -> Add OAuth.
Create a new slack app at https://api.slack.com/apps?new_app=1
Pick “From an app manifest”, then YAML.
Your app manifest should look like this, replacing <YOUR INSTANCE URL>
in 2 places:
Then from your Superadmin Settings, fill with Client ID and Client Secret.
As for any OAuth Settings, make sure that there is a corresponding resource type with the same name with a “token” field in the superadmin workspace. That should be the case by default with Slack.
Now users should be able to connect to Slack through OAuth:
Create GSheet OAuth keys
Create a Google OAuth account by going to https://console.developers.google.com/apis/credentials and create a project if you did not have one.
Click “Enable APIs and Services”
Click “Create Credentials”, then click “OAuth 2.0 Client IDs” in the drop-down menu.
Enter the following:
https://<YOUR_INSTANCE>/oauth/callback/gsheets
Click Create.
Copy the Client ID and Client Secret from the “OAuth Client” modal.
Superadmin Settings -> Instance Settings -> Resources -> Add OAuth “gsheet” -> set client id and client secret
The same steps apply to enable more APIs (Gmail, Gdrive, etc.) on your Google Account to set up the resources in getOperate.
You can add a completely custom OAuth without requiring a dev setup. The item accepts an extra optional field: connect_config
or login_config
of type OAuthConfig:
connect_config
is used for resources, and login_config
for SSO.
Once you have validated your custom item, we would be grateful if you could open a PR.
To add a new OAuth provider format is as follows:
Where extra_params
is an escape hatch to deal with OAuth provider that need some extra fields to be passed along to the authorization URL.
You can iterate without requiring a dev setup. The item accepts an extra optional field: connect_config
or login_config
for SSO.
connect_config
is used for resources, and login_config
for SSO.