# Enable SSO and Granular Access Control For A Header-Based Web App with G Suite

# Preview

In this tutorial, we will use the DAB to enable SSO and granular access control for a header-based web App. The IdP we will use is G Suite. We will use DAB's side deployment mode, which means DAB and this app are running on the same server.

  • The application will run on localhost:3001.
  • The DAB will run on localhost:9772, which means the traffic to the app will reach DAB (running on port 9772) first and then be proxied to the application (running on port 3001).
  • We will provide the docker images for the DAB and this header-based application.

# Part I: G Suite Configuration

You will need to register a credential in Google API Console and get the following 2 values for this credential:

  • Client ID
  • Client Secret

These values will later be used to set up Datawiza Access Broker in Datawiza Cloud Management Console. Please follow IdP Configuration Guide: Goole instructions on how to get those keys/values and IdP Configuration Guide: Gsuite instructions on how to configure group, user and role.

# Part II: Create Application on Datawiza Cloud Management Console (DCMC)

You need to create an application and generate a keypair of (PROVISIONING_KEY, PROVISIONING_SECRET) for this app on the DCMC.

Please follow Step2 : Datawiza Cloud Management Console to configure.

# Part III: Run DAB With a Header-Based Application

You can use either Docker or Kubernetes to run DAB. The following is an example docker-compose.yml file. You may need to login to our container registry to download the images of DAB and the header-based app. See Step3 : Configure DAB and SSO Integration for more details or Deploy DAB with Kubernetes for Kubernetes-specific instructions.

version: '3'

services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "9772:9772"
    environment:
      PROVISIONING_KEY: #############################
      PROVISIONING_SECRET: #############################

  header-based-app:
    image: registry.gitlab.com/datawiza/header-based-app
    container_name: ab-demo-header-app
    restart: always
    ports:
      - "3001:3001"

After executing docker-compose -f docker-compose.yml up, the header-based app should have SSO enabled with G Suite. Open a browser and type in http://localhost:9772/. You should see the G Suite login page as follows. DAB with G Suite

# Part IV: Pass User Attributes to the Header-Based App

The DAB gets user attributes from the IdP and can pass the user attributes to the application via header or cookie.

Please follow the instructions of Step4 : Pass User Attributes to pass the user attributes to the header-based app.

After successfully configuring the user attributes, you should see the green check sign for each of the user attributes as follows. G Suite with DCMC attributes

# Part V: Achieve Granular Access Control

You can configure access control to an application based on user's attributes (e.g., given name, family name) and other metadata of a request (e.g., URL, IP, http method, access time).

Please reference Step5 : Achieve Granular Access Control for detailed instructions on how to set up access rules.

# A Rule Example

  1. Create a user in G Suite, put the user in hr group.
  2. Create the following two rules:
  • hr path can only be accessed by hr group.
  • sales path can only be accessed by sales group.
  1. Verify that the user you created can only access hr page in the header-based app, but cannot access sales page. Trying to access the header-based application on localhost:9772 in your browser, you should get something similar to the following screenshots. http://localhost:9772/hr: G Suite Example http://localhost:9772/sales: G Suite Example Access Forbidden