Configuring GCP as an OIDC Identity Provider

Warning: Pivotal Single Sign-On v1.11 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Pivotal Single Sign‑On service plan by configuring OpenID Connect (OIDC) integration in both Single Sign‑On and GCP.


To set up the integration, follow the procedures below:

  1. Generate GCP Client Credentials
  2. Set up the OIDC Identity Provider in Single Sign‑On

Generate GCP Client Credentials

Follow the steps below to generate GCP client credentials:

  1. Log in to your GCP console.

  2. Under the Credentials tab, click Create credentials > OAuth client ID.

    Gcp create oauth

  3. In the configuration pane that appears, select Web application under Application type and enter any Name. Under Restrictions, leave Authorized JavaScript Origins blank and for Authorized redirect URIs enter a redirect URI using the following pattern:



    Warning: The origin key does not change after it is assigned, even if the Identity Provider Name is modified.

    Gcp config oauth

  4. Click Create and record the client ID and client secret generated. You enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO Operator Dashboard in Set Up OIDC Identity Provider in Single Sign‑On below.

    Gcp oauth keypair

Set up the OIDC Identity Provider in Single Sign‑On

Follow the steps below to set up the OIDC identity provider in Single Sign‑On:

  1. Follow steps 1–6 in Add an OIDC Provider.

  2. In the Discovery Endpoint URL field, enter

  3. Click Fetch Scopes.

  4. Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.

    Gcp oidc settings

  5. Ensure that openid and email are selected as scopes. You can select additional scopes if you want.

    Gcp scopes

  6. Under Advanced Settings > Attribute Mappings (optional) > User Attributes, select email as the User Schema Attribute and enter user_name as the Attribute Name. This enables Single Sign‑On to identify the authenticated user.

    Gcp advanced settings

  7. (Optional) Configure additional attribute mappings.

  8. Click Create Identity Provider to save your settings.

  9. (Optional) Enable IdP Discovery for the service plan.