Google Workspace Setup for OpenWebUI
The goal is to let organizations control admin and user access in OpenWebUI based on their Google Group memberships — for example:
[email protected]→ Admin access[email protected]→ Standard user access
Before You Begin
You’ll need:
- Access to your organization’s Google Admin Console (not Google Cloud Console)
- At least one Google Group created for Open WebUI admins (e.g.
[email protected]) - The Keycloak ACS URL and Entity ID provided by Arthur (see below)
Step 1 — Open the Google Admin Console
- Go to https://admin.google.com
- Sign in with an account that has Super Admin privileges.
Step 2 — Create a Custom SAML App
- In the left sidebar:
Apps → Web and mobile apps → Add app → Add custom SAML app - Enter an app name such as “Open WebUI (Arthur)”
- (Optional) Upload your company or Arthur logo for easy identification.
- Click Continue
Step 3 — Download Google’s IdP Information
Google will now display:
- SSO URL
- Entity ID
- Certificate (X.509)
📤 Send these three values to your Arthur contact or Keycloak administrator.
They will configure them inside Keycloak to establish trust between Google and Keycloak.
Then click Continue.
Step 4 — Enter Arthur’s Keycloak Information
On the next screen, fill in the service provider details exactly as follows:
| Field | Value |
|---|---|
| ACS URL (Assertion Consumer Service URL) | https://<auth-endpoint>.arthur.ai/realms/openwebui/broker/google/endpoint |
| Entity ID | https://<auth-endpoint>.arthur.ai/realms/openwebui |
| Start URL | (Leave blank) |
| Signed Response | ✅ Checked |
| Name ID format | EMAIL |
| Name ID | Basic Information > Primary Email |
Then click Continue.
Step 5 — Add Attribute Mappings
This section defines what user information is sent to Keycloak.
Add the following mappings:
| Google Directory Attribute | App Attribute |
|---|---|
Primary Email | email |
First Name | firstName |
Last Name | lastName |
Groups | Groups |
Click Continue.
⚙️ Step 6 — Add Group Memberships (for Admin/User roles)
You’ll now see a section titled “Group membership (optional)”.
This is where you define which Google Groups get sent to Keycloak.
- Under Google groups, click the field and add:
[email protected][email protected]
(Or whatever group emails your organization will use.)
- Under App attribute, type:
Groups
Example configuration:
| Google groups | App attribute |
|---|---|
[email protected], [email protected] | Groups |
- Click Finish
Step 7 — Assign Access
By default, your new SAML app is off for everyone.
To allow users to log in:
- Go to the app you just created under
Apps → Web and mobile apps - Click the new Open WebUI (Arthur) app
- Under User Access, set:
ON for everyoneor restrict to specific organizational units (OUs) if needed.
Step 8 — Send Information to Arthur (Keycloak Admin)
Provide your Arthur contact or Keycloak admin with the following information:
| Item | Description |
|---|---|
| SSO URL | From Step 3 |
| Entity ID | From Step 3 |
| X.509 Certificate | From Step 3 |
| Admin Group(s) | e.g. [email protected] |
| User Group(s) | e.g. [email protected] |
Arthur’s team will configure these inside Keycloak to complete the connection.
How Keycloak Uses This Information
Arthur’s Keycloak admin will:
- Create two realm roles:
adminanduser - Add mappers in Keycloak that translate Google Groups → roles:
Groups = [email protected]→adminGroups = [email protected]→user
- Test logins from both groups to confirm correct role assignment.
When a user logs into Open WebUI via Keycloak:
- If they belong to the admin group, they’ll get full admin privileges.
- If they belong to the user group, they’ll get standard user access.
Summary
| Step | Action |
|---|---|
| 1 | Go to admin.google.com |
| 2 | Add Custom SAML App → name it Open WebUI (Arthur) |
| 3 | Copy Google IdP details (SSO URL, Entity ID, Certificate) |
| 4 | Enter Arthur’s Keycloak ACS URL and Entity ID |
| 5 | Map attributes: email, firstName, lastName, Groups |
| 6 | Add Google groups → set App Attribute to Groups |
| 7 | Turn app ON for everyone |
| 8 | Send information + group names to Arthur for Keycloak mapping |
Example Group Design (Recommended)
| Group Name | Example Address | Purpose |
|---|---|---|
| OpenWebUI Admins | [email protected] | Members become Open WebUI admins |
| OpenWebUI Users | [email protected] | Members become regular users |
These groups can be managed directly by your organization’s IT team to control Open WebUI permissions dynamically — no need for Arthur to change anything.
End Result
| Google Group | Keycloak Role | Open WebUI Access |
|---|---|---|
[email protected] | admin | Full admin privileges |
[email protected] | user | Standard user access |
| (no group match) | (optional default user role) | Basic user access |
That’s it!
Your organization is now configured to use Google SAML SSO for Open WebUI via Arthur’s Keycloak.
All role assignments are fully automated through your existing Google Groups.
Updated 8 months ago