chore: variable naming & google workspace instructions for self-hoste…

…d SSO (#455)
langchain-ai · Oct 1, 2024 · a1872fd · a1872fd
2 parents 08144c3 + c41355c
commit a1872fd
Showing 1 changed file with 33 additions and 2 deletions.
diff --git a/versioned_docs/version-2.0/self_hosting/configuration/sso.mdx b/versioned_docs/version-2.0/self_hosting/configuration/sso.mdx
@@ -62,13 +62,13 @@ LangSmith does not support moving from SSO to basic auth mode in self-hosted at
 - Your IdP must support using an external discovery/issuer URL. We will use this to fetch the necessary routes and keys for your IdP.
 - You must provide the `OIDC`, `email`, and `profile` scopes to LangSmith. We use these to fetch the necessary user information and email for your users.
 - You will need to set the callback URL in your IdP to `http://<host>/api/v1/oauth/custom-oidc/callback`, where host is the domain or IP you have provisioned for your LangSmith instance. This is where your IdP will redirect the user after they have authenticated.
-- You will need to provide the `oauthClientId`, `oauthClientSecret`, `baseUrl`, and `oauthIssuerUrl` in your `values.yaml` file. This is where you will configure your LangSmith instance.
+- You will need to provide the `oauthClientId`, `oauthClientSecret`, `hostname`, and `oauthIssuerUrl` in your `values.yaml` file. This is where you will configure your LangSmith instance.
 
 <CodeTabs
   tabs={[
     HelmBlock(`config:
   authType: mixed
-  baseUrl: https://\<YOUR DOMAIN\>.com
+  hostname: https://langsmith.example.com
   oauth:
     enabled: true
     oauthClientId: \<YOUR CLIENT ID\>
@@ -77,10 +77,41 @@ LangSmith does not support moving from SSO to basic auth mode in self-hosted at
     DockerBlock(
       `# In your .env file
 AUTH_TYPE=mixed
+LANGSMITH_URL=https://langsmith.example.com
 OAUTH_CLIENT_ID=your-client-id
 OAUTH_CLIENT_SECRET=your-client-secret
 OAUTH_ISSUER_URL=https://your-issuer-url
     `
     ),
   ]}
 />
+
+### Identity Provider (IdP) Setup
+
+**Google Workspace**
+
+You can use Google Workspace as a single sign-on (SSO) provider using [OAuth2.0 and OIDC](https://developers.google.com/identity/openid-connect/openid-connect) without PKCE.
+
+:::note
+You must have administrator-level access to your organization’s Google Cloud Platform (GCP) account to create a new project, or permissions to create and configure OAuth 2.0 credentials for an existing project. We recommend that you create a new project for managing access, since each GCP project has a single OAuth consent screen.
+:::
+
+1. Create a new GCP project, see the Google documentation topic [creating and managing projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
+1. After you have created the project, open the [Credentials](https://console.developers.google.com/apis/credentials) page in the Google API Console (making sure the project in the top left corner is correct)
+1. Create new credentials: `Create Credentials → OAuth client ID`
+1. Choose `Web application` as the `Application type` and enter a name for the application e.g. `LangSmith`
+1. In `Authorized Javascript origins` put the domain of your LangSmith instance e.g. `https://langsmith.yourdomain.com`
+1. In `Authorized redirect URIs` put the domain of your LangSmith instance followed by `/api/v1/oauth/custom-oidc/callback` e.g. `https://langsmith.yourdomain.com/api/v1/oauth/custom-oidc/callback`
+1. Click `Create`, then download the JSON or copy and save the `Client ID` (ends with `.apps.googleusercontent.com`) and `Client secret` somewhere secure. **You will be able to access these later if needed**.
+1. Select `OAuth consent screen` from the navigation menu on the left
+   1. Choose the Application type as `Internal`. **If you select `Public`, anyone with a Google account can sign in.**
+   1. Enter a descriptive `Application name`. This name is shown to users on the consent screen when they sign in. For example, use `LangSmith` or `<organization_name> SSO for LangSmith`.
+   1. Verify that the Scopes for Google APIs only lists email, profile, and openid scopes. Only these scopes are required for single sign-on. If you grant additional scopes it increases the risk of exposing sensitive data.
+1. (Optional) control who within your organization has access to LangSmith: https://admin.google.com/ac/owl/list?tab=configuredApps. See [Google's documentation](https://support.google.com/a/answer/7281227?hl=en&fl=1&sjid=9554153972856467090-NA) for additional details.
+1. Configure LangSmith to use this OAuth application. For examples, here are the `config `values that would be used for Kubernetes configuration:
+   1. `oauthClientId`: `Client ID` (ends with `.apps.googleusercontent.com`)
+   1. `oauthClientSecret`: `Client secret`
+   1. `hostname`: the domain of your instance e.g. `https://langsmith.yourdomain.com` (no trailing slash)
+   1. `oauthIssuerUrl`: `https://accounts.google.com`
+   1. `oauth.enabled`: `true`
+   1. `authType`: `mixed`