> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zylon.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Integration (SSO)

### Create a new Oauth application for Zylon

In order to enable Google SSO for Zylon, you need to create an OAuth 2.0 application in the Google Cloud Console.

Navigate to the [Google Cloud Console](https://console.cloud.google.com/).

<Note>
  You might need to create a new Google project for Zylon if you don't have one already to host the OAuth application.

  <img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/1-create-project.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=b8349c3a49d3772c22489faffbc20c3e" alt="create-project" width="1440" height="830" data-path="images/operator-manual/openid-images/google/1-create-project.png" />
</Note>

Navigate to the [Google Auth Section](https://console.cloud.google.com/auth/), to create the app.

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/2-create-app.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=d8d06ceb592e7785c1a38e1daf22497e" alt="create-oauth-app" width="1404" height="1128" data-path="images/operator-manual/openid-images/google/2-create-app.png" />

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/3-configure-audience.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=02b51e86cd7852250426b92dbb70edb1" alt="oauth-config" width="1312" height="1018" data-path="images/operator-manual/openid-images/google/3-configure-audience.png" />

For the audience configuration, set it to internal so only users from your organization can log in,
otherwise you will need to go through Google's verification process.

### Configure the Oauth client

Next, configure the Oauth client

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/4-create-oauth-client.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=257cd8f21779047a3abeb6beac5ee2df" alt="oauth-client-id" width="2986" height="968" data-path="images/operator-manual/openid-images/google/4-create-oauth-client.png" />

Make sure of the following settings:

* The application type is set to **Web application**.
* The allowed JavaScript origins is set to `https://zylon.company.com`, replacing `zylon.company.com` with the domain where Zylon is hosted (It is the same domain as the host in the config file located in `/etc/zylon/zylon-conf.yaml`).
* The authorized redirect URI is set to `https://zylon.company.com/api/v1/auth/google/callback`, same as above replace `zylon.company.com` with the domain where Zylon is hosted.
* Apply the changes and save the `Client ID` and `Client Secret` that will be used later in the config file for Zylon.

Select **Web application** as the application type:

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/5-select-web-app-as-type.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=09a8be586c3cda8cdbcf86123e6331c7" alt="oauth-web-app" width="1130" height="1088" data-path="images/operator-manual/openid-images/google/5-select-web-app-as-type.png" />

Set the authorized redirect URI as mentioned before, double check that the domain is correct
and the suffix is `/api/v1/auth/google/callback`:

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/6-configure-origin-and-callback.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=d6d3f71045ea79ffde86aaa514f4e0fa" alt="oauth-redirect-uri" width="1204" height="1122" data-path="images/operator-manual/openid-images/google/6-configure-origin-and-callback.png" />

Create the OAuth client and save the `Client ID` and `Client Secret`:

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/7-copy-oauth-data.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=ae02e6bff9184eedfb9fb0e86ddea25b" alt="oauth-client-created" width="998" height="1276" data-path="images/operator-manual/openid-images/google/7-copy-oauth-data.png" />

### Grant openid scope

Navigate to the [Data Access/Scopes section](https://console.cloud.google.com/auth/scopes), and add the following scopes to your application:

* auth/userinfo.email (To get the user email)
* auth/userinfo.profile (To get user's name and profile picture)
* openid (To authenticate users with OpenID Connect)

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/8-add-scopes.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=63ffd81dd2ce8bcd9ed5746f977649b6" alt="oauth-scopes" width="2988" height="1634" data-path="images/operator-manual/openid-images/google/8-add-scopes.png" />

<img src="https://mintcdn.com/zylon/BXrLYrh44RWGgEbL/images/operator-manual/openid-images/google/9-add-scopes-output.png?fit=max&auto=format&n=BXrLYrh44RWGgEbL&q=85&s=0728e2b6f483cfb2927ed476b2c4b076" alt="oauth-scopes-added" width="2164" height="1540" data-path="images/operator-manual/openid-images/google/9-add-scopes-output.png" />

### Add the configuration to Zylon

Add the following configuration to `/etc/zylon/zylon-conf.yaml`,
replacing the `clientId` and `clientSecret` values with the ones obtained in the previous steps
and the `redirectUri` with the correct domain where Zylon is hosted.

<Warn>
  The config file is a `.yaml` file so indentation, spaces, semicolons, double quotes are very important
</Warn>

```yaml theme={null}
auth:
  google:
    enabled: true
    clientId: "1234567890-abcde.apps.googleusercontent.com"
    clientSecret: "GOCSPX-xxxxxxxxxxxxxxxxxxxxxxxx"
    redirectUri: "https://zylon.company.com/api/v1/auth/google/callback"
```

Run the following command to refresh the configuration

```yaml theme={null}
sudo zylon-cli sync
```

Now you should see the Google SSO option when logging in.

<Tip>
  In case you don’t see the Google button to log in, clear the browser cache.
</Tip>