Configuring GCP as an OIDC Identity Provider
Warning: Single Sign‑On for Pivotal Cloud Foundry v1.6 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Single Sign-On (SSO) service plan by configuring OpenID Connect (OIDC) integration in both Pivotal Cloud Foundry (PCF) and GCP.
Log in to your Google Cloud Platform console.
Under the Credentials tab, click Create credentials > OAuth client ID.
AUTH_DOMAINis the full URL generated based on the Auth Domain setting you entered when you created the service plan that you are integrating with GCP.
ORIGIN_KEYis based on the Identity Provider Name you set in the SSO dashboard in Set Up OIDC Identity Provider in SSO below. This value should have no spaces or uppercase letters. You might need to change this value later.
Click Create and record the client ID and client secret generated. You will enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO dashboard in Set Up OIDC Identity Provider in SSO below.
Log in to the SSO dashboard at
https://p-identity.YOUR-SYSTEM-DOMAINusing your UAA administrator credentials. You can find these credentials in your Pivotal Application Service tile in Ops Manager under the Credentials tab.
Click the plan name and select Manage Identity Providers from the drop-down menu.
Click New Identity Provider.
Enter an Identity Provider Name. This value in all lowercase with dashes replacing spaces becomes your Origin Key. For example,
Example Google Originbecomes
example-google-origin. If you did not enter this for your OAuth Client’s authorized redirect URIs, go back and edit the value in Google Cloud Platform.
Enter a Description. Space developers see this description when they select an identity provider for their app.
Select OpenID Connect as the Identity Provider type.
Make sure the Enable Discovery checkbox is selected, to enable OIDC discovery.
For Discovery Endpoint URL, enter
Click Fetch Scopes.
Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.
Make sure that
Under Advanced Settings > User Attributes, map
(Optional) Configure additional attribute mappings.
Click Create Identity Provider to save your settings.
(Optional) Enable identity provider discovery for the service plan.