Configuring GCP as an OIDC Identity Provider

This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Pivotal Single Sign‑On service plan by configuring OpenID Connect (OIDC) integration in both Pivotal Single Sign‑On and GCP.

Overview

To set up the integration, follow the procedures below:

  1. Generate GCP Client Credentials
  2. Set up the OIDC Identity Provider in Pivotal Single Sign‑On

Generate GCP Client Credentials

Follow the steps below to generate GCP client credentials.

  1. Log in to your Google Cloud Platform console.

  2. Under the Credentials tab, click Create credentials > OAuth client ID.

    Gcp create oauth

  3. In the configuration pane that appears, select Web application under Application type and enter any Name. Under Restrictions, leave Authorized JavaScript Origins blank and for Authorized redirect URIs enter a redirect URI of the form https://AUTH_DOMAIN/login/callback/ORIGIN_KEY, where:

    • AUTH_DOMAIN is the full URL generated based on the Auth Domain setting you entered when you created the service plan that you are integrating with GCP.
    • ORIGIN_KEY is identical to the Identity Provider Name you set later in the SSO Operator Dashboard in Set Up OIDC Identity Provider in Pivotal Single Sign‑On, except that it cannot include uppercase letters or spaces. You can change this value later if, for example, you want to enter a different identity provider name later.

    Gcp config oauth

  4. Click Create and record the client ID and client secret generated. You enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO Operator Dashboard in Set Up OIDC Identity Provider in Pivotal Single Sign‑On below.

    Gcp oauth keypair

Set up the OIDC Identity Provider in Pivotal Single Sign‑On

Follow the steps below to set up the OIDC identity provider in Pivotal Single Sign‑On.

  1. Follow steps 1–6 in Add an OIDC Provider.

  2. In the Discovery Endpoint URL field, enter https://accounts.google.com/.well-known/openid-configuration.

  3. Click Fetch Scopes.

  4. Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.

    Gcp oidc settings

  5. Ensure that openid and email are selected as scopes. You can select additional scopes if you want.

    Gcp scopes

  6. Under Advanced Settings > Attribute Mappings (optional) > User Attributes, select email as the User Schema Attribute and enter user_name as the Attribute Name. This enables Pivotal Single Sign‑On to identify the authenticated user.

    Gcp advanced settings

  7. (Optional) Configure additional attribute mappings.

  8. Click Create Identity Provider to save your settings.

  9. (Optional) Enable IdP Discovery for the service plan.