With Cyral, you can authenticate database users against your single sign-on (SSO) platform. Once set up for SSO, Cyral delegates authentication to your SSO platform. When a user authenticates successfully, Cyral grants them the appropriate privileges in the data store.
Create an OAuth Client ID in your G Suite instance
Follow the steps below to use your Google G Suite instance to authenticate database users and Cyral administrators. This integration sets up your G Suite instance to recognize Cyral as an OAuth 2.0 application. For more information on OAuth and SSO:
Add a G Suite consent screen for Cyral
Cyral's integration with G Suite uses an OAuth application with authentication provided by a service that runs in the Cyral control plane.
If this is the first time an OAuth application is being set up in your G Suite domain, you must set up a Consent Screen in your G Suite with cyral.com as the authorized domain. If you've already done this, proceed to the next section, "Create an OAuth Client ID."
Go to the Google API Console OAuth consent screen page.
Set Application type to Internal.
Set Application name to Cyral OAuth Client.
Leave the Application logo blank.
Set Support email to the address of your authentication administrator.
Keep the default scopes for Google APIs (email, profile, openid).
In Authorized domains type cyral.com.
Now that the consent screen has been set up, proceed to the next section to create the OAuth client ID that enables G Suite to accept requests from Cyral.
Create an OAuth client ID
Follow the steps below to create the OAuth application in your organization's G Suite instance. By doing this, you are authorizing your G Suite instance to respond to Cyral's authentication requests.
Open the Google API Console for your organization.
Select a project or create one.
Navigate to Credentials → Create Credentials → OAuth Client ID.
Choose Web Application as the application type.
Fill in the following values for your domain:
Name: Cyral OAuth Client (or the name of your choice)
Authorized redirect URL: The callback URL of your Cyral OAuth application. The form is as follows, but again replace my-cyral-deploy:
Share the OAuth application details with your Cyral support person
1. Find the Client ID from the popup that follows after your create the OAuth app.
2. Click the Client ID you created, click DOWNLOAD JSON to get its credentials bundle, and share this JSON file securely with your Cyral support contact.
3. Contact your Cyral support person to complete the setup. Provide the settings you collected above:
Authorized redirect URL
Your Client ID name
Your Client ID's JSON file
G Suite domain (name of your G Suite domain, which is usually your organization's main domain name, but may not be)
See Set up SSO authentication for users for the steps to activate SSO authentication on a repository.