Configuring GCP as an OIDC Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu Application Service.

Page last updated:

This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Single Sign‑On for VMware Tanzu Application Service service plan by configuring OpenID Connect (OIDC) integration in both Single Sign‑On and GCP.

Overview

To set up the integration, follow the procedures below:

  1. Generate GCP Client Credentials
  2. Set up the OIDC Identity Provider in Single Sign‑On

Generate GCP Client Credentials

Follow the steps below to generate GCP client credentials:

  1. Log in to your GCP console.

  2. Under the Credentials tab, click Create credentials > OAuth client ID.

    Gcp create oauth

  3. In the configuration pane that appears, select Web application under Application type and enter any Name. Under Restrictions, leave Authorized JavaScript Origins blank and for Authorized redirect URIs enter a redirect URI using the following pattern:

    https://AUTH-DOMAIN.login.SYSTEM-DOMAIN/login/callback/ORIGIN-KEY
    

    Where:

    Warning: The origin key does not change after it is assigned, even if the Identity Provider Name is modified.

    Gcp config oauth

  4. Click Create and record the client ID and client secret generated. You enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO Operator Dashboard in Set Up OIDC Identity Provider in Single Sign‑On below.

    Gcp oauth keypair

Set up the OIDC Identity Provider in Single Sign‑On

Follow the steps below to set up the OIDC identity provider in Single Sign‑On:

  1. Follow steps 1–6 in Add an OIDC Provider.

  2. In the Discovery Endpoint URL field, enter https://accounts.google.com/.well-known/openid-configuration.

  3. Click Fetch Scopes.

  4. Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.

    Gcp oidc settings

  5. Ensure that openid and email are selected as scopes. You can select additional scopes if you want.

    Gcp scopes

  6. Under Advanced Settings > Attribute Mappings (optional) > User Attributes, select email as the User Schema Attribute and enter user_name as the Attribute Name. This enables Single Sign‑On to identify the authenticated user.

    Gcp advanced settings

  7. (Optional) Configure additional attribute mappings.

  8. Click Create Identity Provider to save your settings.

  9. (Optional) Enable IdP Discovery for the service plan.