Configuring GCP as an OIDC Identity Provider
Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu Application Service.
Page last updated:
This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Single Sign‑On for VMware Tanzu Application Service service plan by configuring OpenID Connect (OIDC) integration in both Single Sign‑On and GCP.
To set up the integration, follow the procedures below:
Follow the steps below to generate GCP client credentials:
Log in to your GCP console.
Under the Credentials tab, click Create credentials > OAuth client ID.
AUTH-DOMAINis the Auth Domain you entered in Create or Edit Service Plans.
ORIGIN-KEYis identical to the Identity Provider Name you set later in the SSO Operator Dashboard in Set Up OIDC Identity Provider in Single Sign‑On, except that it cannot include uppercase letters or spaces.
Warning: The origin key does not change after it is assigned, even if the Identity Provider Name is modified.
Click Create and record the client ID and client secret generated. You enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO Operator Dashboard in Set Up OIDC Identity Provider in Single Sign‑On below.
Follow the steps below to set up the OIDC identity provider in Single Sign‑On:
Follow steps 1–6 in Add an OIDC Provider.
In the Discovery Endpoint URL field, enter
Click Fetch Scopes.
Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.
Under Advanced Settings > Attribute Mappings (optional) > User Attributes, select email as the User Schema Attribute and enter
user_nameas the Attribute Name. This enables Single Sign‑On to identify the authenticated user.
(Optional) Configure additional attribute mappings.
Click Create Identity Provider to save your settings.
(Optional) Enable IdP Discovery for the service plan.