Google Workspace Setup for Open WebUI
This guide explains how to configure Google Workspace as the Identity Provider (IdP) for Arthur’s Keycloak, which brokers authentication into Open WebUI.
The goal is to let organizations control admin and user access in Open WebUI based on their Google Group memberships — for example:
[email protected]→ Admin access[email protected]→ Standard user access
Before You Begin
You’ll need:
- Access to your organization’s Google Admin Console (not Google Cloud Console)
- At least one Google Group created for Open WebUI admins (e.g.
[email protected]) - The Keycloak ACS URL and Entity ID provided by Arthur (see below)
Step 1 — Open the Google Admin Console
- Go to https://admin.google.com
- Sign in with an account that has Super Admin privileges.
Step 2 — Create a Custom SAML App
- In the left sidebar:
Apps → Web and mobile apps → Add app → Add custom SAML app - Enter an app name such as “Open WebUI (Arthur)”
- (Optional) Upload your company or Arthur logo for easy identification.
- Click Continue
Step 3 — Download Google’s IdP Information
Google will now display:
- SSO URL
- Entity ID
- Certificate (X.509)
📤 Send these three values to your Arthur contact or Keycloak administrator.
They will configure them inside Keycloak to establish trust between Google and Keycloak.
Then click Continue.
Step 4 — Enter Arthur’s Keycloak Information
On the next screen, fill in the service provider details exactly as follows:
| Field | Value |
|---|---|
| ACS URL (Assertion Consumer Service URL) | https://<auth-endpoint>.arthur.ai/realms/openwebui/broker/google/endpoint |
| Entity ID | https://<auth-endpoint>.arthur.ai/realms/openwebui |
| Start URL | (Leave blank) |
| Signed Response | ✅ Checked |
| Name ID format | EMAIL |
| Name ID | Basic Information > Primary Email |
Then click Continue.
Step 5 — Add Attribute Mappings
This section defines what user information is sent to Keycloak.
Add the following mappings:
| Google Directory Attribute | App Attribute |
|---|---|
Primary Email | email |
First Name | firstName |
Last Name | lastName |
Groups | Groups |
Tip: TheGroupsattribute is what enables role mapping (e.g. admin/user) inside Keycloak.
Click Continue.
⚙️ Step 6 — Add Group Memberships (for Admin/User roles)
You’ll now see a section titled “Group membership (optional)”.
This is where you define which Google Groups get sent to Keycloak.
- Under Google groups, click the field and add:
[email protected][email protected](Or whatever group emails your organization will use.)
- Under App attribute, type:
Groups
Example configuration:
| Google groups | App attribute |
|---|---|
[email protected], [email protected] | Groups |
- Click Finish
Step 7 — Assign Access
By default, your new SAML app is off for everyone.
To allow users to log in:
- Go to the app you just created under
Apps → Web and mobile apps - Click the new Open WebUI (Arthur) app
- Under User Access, set:
ON for everyoneor restrict to specific organizational units (OUs) if needed.
Step 8 — Send Information to Arthur (Keycloak Admin)
Provide your Arthur contact or Keycloak admin with the following information:
| Item | Description |
|---|---|
| SSO URL | From Step 3 |
| Entity ID | From Step 3 |
| X.509 Certificate | From Step 3 |
| Admin Group(s) | e.g. [email protected] |
| User Group(s) | e.g. [email protected] |
Arthur’s team will configure these inside Keycloak to complete the connection.
How Keycloak Uses This Information
Arthur’s Keycloak admin will:
- Create two realm roles:
adminanduser - Add mappers in Keycloak that translate Google Groups → roles:
Groups = [email protected]→adminGroups = [email protected]→user
- Test logins from both groups to confirm correct role assignment.
When a user logs into Open WebUI via Keycloak:
- If they belong to the admin group, they’ll get full admin privileges.
- If they belong to the user group, they’ll get standard user access.
Summary
| Step | Action |
|---|---|
| 1 | Go to admin.google.com |
| 2 | Add Custom SAML App → name it Open WebUI (Arthur) |
| 3 | Copy Google IdP details (SSO URL, Entity ID, Certificate) |
| 4 | Enter Arthur’s Keycloak ACS URL and Entity ID |
| 5 | Map attributes: email, firstName, lastName, Groups |
| 6 | Add Google groups → set App Attribute to Groups |
| 7 | Turn app ON for everyone |
| 8 | Send information + group names to Arthur for Keycloak mapping |
Example Group Design (Recommended)
| Group Name | Example Address | Purpose |
|---|---|---|
| OpenWebUI Admins | [email protected] | Members become Open WebUI admins |
| OpenWebUI Users | [email protected] | Members become regular users |
These groups can be managed directly by your organization’s IT team to control Open WebUI permissions dynamically — no need for Arthur to change anything.
End Result
| Google Group | Keycloak Role | Open WebUI Access |
|---|---|---|
[email protected] | admin | Full admin privileges |
[email protected] | user | Standard user access |
| (no group match) | (optional default user role) | Basic user access |
That’s it! Your organization is now configured to use Google SAML SSO for Open WebUI via Arthur’s Keycloak. All role assignments are fully automated through your existing Google Groups.
Updated about 9 hours ago