User Management

Google Identity-Aware Proxy configuration

How to configure Sophora DeskClients to acess a Sophora Server behind an Identity-Aware Proxy.

Introduction

The Google Identity-Aware proxy (IAP) protects web pages. A Sophora Server in the cloud may be protected by an IAP. To access the Sophora Server each request must pass the Identity-Aware proxy. For that a user must authenticate against Google with an authorized account. Afterwards that user may pass and is transparently forwarded to the Sophora Server.

The DeskClient can impersonate the user and provide a token that passes the IAP. To achieve this the login screen will pop up the system browser with the authorization page. The user needs to login and confirm that the DeskClient may use his identity to access the Identity-Aware Proxy. When confirming the access Google sends a token to the DeskClient which is used to access the Sophora Server.

The token will be stored and refreshed as needed. So the user needs to authorize the DeskClient only once if used frequently.

Notes for IAP configuration

When setting up Sophora to be reachable by a load balancer the IAP will automatically create credentials of type "Web application". The DeskClient needs an OAuth 2.0 Client ID of type "Desktop".

You can either keep the original Client ID to access the IAP and use an additional Desktop Client ID for the DeskClient to sign in as the user to your Google cloud project. Or you can only keep the Desktop Client ID and associate that with the IAP resource (backend of a load balancer). That has to be done via CLI because the Cloud Console does not offer this option.

Prerequisites

You need an OAuth 2.0 Client ID of type "Desktop" in the same Google Cloud project as the IAP configuration. Download the OAuth client JSON file.

DeskClient Configuration

You need to put the OAuth client JSON file (client_secret_<Client ID>.json) to a location which is readable by the DeskClient process. You can either place it next to the executable DeskClient file (Windows: deskclient.exe; Linux: deskclient.sh; MacOS: deskclient) in the installation folder with the file name "oauth_clientid.json". In this case you don't need to set the parameter oauthClientSecrets. It must be set to the full path if the file has another name, the file is placed in another folder than the DeskClient or the DeskClient is executed in another folder than its installation.
NOTE: Windows and Linux users find their executable DeskClient file usually in the DeskClient folder. MacOS users find their executable DeskClient file in the MacOS folder in the package contents of the DeskClient App (right click on DeskClient App > Show Package Contents). For further details on a smooth installation click here.

If your IAP resource is not associated with a Client ID of type "Desktop" (the default is "Web application"), then you need to set the associated Client ID via the parameter iapClientId.

Proxy for accessing the internet

If the Google servers are only reachable over a proxy it must be set in the DeskClient (since version 4.7.0). The configured proxy for accessing the Sophora Server (either as command line parameter or in the login screen) is used. But the authentication (username and password) is not used.

Last modified on 1/6/22

The content of this page is licensed under the CC BY 4.0 License. Code samples are licensed under the MIT License.

Icon