DocsICP FilingConsole
官方文档
首页

Google Cloud Platform SSO

更新时间:
复制 MD 格式
产品详情
我的收藏

This document describes how to use workforce identity federation to set up enterprise single sign-on (SSO) for Google Cloud Platform (GCP). It covers the entire OIDC-based process, including configuring a workforce identity pool, integrating an external identity provider (IdP), generating temporary credentials, and managing IAM permissions. This approach lets your enterprise users securely access GCP resources without needing separate Google accounts.

Procedure

Step 1: Configure an OIDC application in IDaaS

  1. Create an OIDC application.

    1. Log on to the IDaaS console, select the target IDaaS instance, and in the Console column, click Console.

    2. Navigate to Applications > > Add Application > > Standard Protocol, and add an OIDC application. image

  2. Get configuration parameters.

    1. On the OIDC application details page, get the client_id and client_secret from the General tab.image

    2. On the tab, get the Issuer URL from the Application Settings section.image

  3. After you complete the GCP configuration, return to this page to enter the following parameters.

    1. Redirect URIs. To set up console access, add the following redirect URI.image

      https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
      Note

      Replace the following placeholders:

      • WORKFORCE_POOL_ID: The ID of your workforce identity pool.

      • WORKFORCE_PROVIDER_ID: The ID of the provider that you created for the workforce identity pool.

    2. IDaaS Sign-In URL. After adding an identity provider in GCP, a sign-in URL is generated. You can add this URL to your IDaaS application to let users sign in to the GCP console with one click by using their enterprise identities.image

      1. In the IDaaS application, expand Show Advanced Settings. For SSO Implemented By, select IDaaS & Application. Copy the sign-in URL from GCP and paste it into the IDaaS Sign-In URL field.

      2. After adding an identity provider in GCP, you can find the sign-in URL in the workforce identity pool you created, under Sign-in URL.

        image

Step 2: Create a workforce identity pool

  1. Log on to the Google Cloud console. In the left-side navigation pane, click .image

  2. On the Workforce identity pool page, click Create Pool. The Add new workforce pool and provider page opens.image

  3. Configure the basic information for the identity pool.image

    1. In the Name field, enter a name for the identity pool.

    2. (Optional) In the Description field, enter a description of the pool's purpose, such as federated identity authentication for the XX service.

    3. When finished, click Next. Pool creation can take up to two minutes.

  4. In the Select an Authentication Protocol section, choose a protocol type from the drop-down list:

    • OpenID Connect (OIDC)

    • SAML

    Note

    This document uses OpenID Connect (OIDC) as an example. Select the protocol that meets your needs.

Step 3: Configure the identity provider

  1. Create a pool provider.image

    Parameter

    Description

    Name

    A display name for the identity provider.

    Provider ID

    A unique ID for this provider within the pool.

    Description

    Describes the authorization scenario. This text appears when you grant access to a third-party identity.

    Issuer

    The Issuer URL from the OIDC application that you configured in IDaaS.

    Client ID

    The OIDC application's unique identifier (client_id), used to establish trust with the identity provider.

  2. Flow type.image

    Parameter

    Description

    Flow type

    Select code.

    Assertion claims behavior

    Select one of the following options:

    • User info and ID token

    • ID token only

    Client secret

    The client_secret of the OIDC application.

  3. Configure the provider.

    1. When you configure attribute mapping, you must specify the IdP's subject field (such as assertion.sub) in the OIDC configuration, or use a CEL expression that returns a string.

      image

    2. After completing the configuration, click Submit. Wait for the identity provider to be created.image

Step 4: Grant IAM permissions

  1. Go to the details page of your workforce identity pool and copy the IAM principal.image

  2. In the left-side navigation pane, go to the IAM page and click grant access.image

    1. Add principal. Paste the IAM principal.

    2. Assign roles. Assign appropriate roles based on your needs, and then click Save.

Step 5: Verify SSO

  1. Verify from IDaaS.

    After configuring SSO, you can sign in from the IDaaS user portal.

    1. Log on to the IDaaS user portal.

    2. Click the OIDC application that you created.image

    3. You are automatically redirected to the Google Cloud console.

  2. Verify from GCP.

    1. In the left-side navigation pane, click .

    2. Open the details page of the workforce identity pool that you created, and in the Providers section, click the Sign-in URL.image

    3. You will be redirected to the IDaaS sign-in page. After you sign in, you can access the Google Cloud console.

Previous:Google Workspace SSONext:Agent Identity Security