Skip to main content
Version: 3.0 (beta)

Google

  1. Create Loft Config For Google

    Loft is able to use Google’s OpenID Connect provider as an authentication source.

    To tell Loft to use Google for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

    auth:
    # Tell loft to use google authentication
    google:
    #
    #
    # REQUIRED CONFIGURATION
    #
    #
    # ClientID for the google authentication. Can be string literal or pulled from the environment.
    clientId: $CLIENTID
    # ClientSecret for the google authentication. Can be string literal or pulled from the environment.
    clientSecret: $CLIENTSECRET
    # Callback URL in the form of https://your-loft-domain/auth/google/callback
    redirectURI: https://loft.my.domain/auth/google/callback
    #
    #
    # OPTIONAL CONFIGURATION
    #
    #
    # (Optional) defaults to "profile" and "email"
    scopes: ["profile", "email"]
    # (Optional) list of whitelisted domains. If this field is nonempty,
    # only users from a listed domain will be allowed to log in
    hostedDomains: []
    # (Optional) list of whitelisted groups. If this field is nonempty,
    # only users from a listed group will be allowed to log in
    groups: []
    # (Optional) path to service account json. If nonempty,
    # and groups claim is made, will use authentication from file to
    # check groups with the admin directory api
    serviceAccountFilePath: /path/to/service/account.json
    # (Optional) Required if serviceAccountFilePath is set. The email of
    # a GSuite super user which the service account will impersonate
    # when listing groups
    adminEmail: myuser@mydomain.com
  2. Authenticate via Google

    After saving the new Loft configuration, Loft will restart itself and you should be able to log in via Google.

  3. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
    oidc: ... # This is your SSO configuration (make sure this is working!)
    password:
    disabled: true # Disable password-based authentication