Configure SAML providers for GKE Identity Service

This document explains how to configure your chosen Security Assertion Markup Language (SAML) identity provider for GKE Identity Service. To find out more about GKE Identity Service, see the overview.

This document is for platform administrators, or whoever manages identity setup in your organization. If you are a cluster administrator or application operator, ask your platform administrator to follow this section before you start Configure clusters for GKE Identity Service with SAML.

Register GKE Identity Service with your provider

To register GKE Identity Service for the identity provider, you need the following information:

  • EntityID - This is a unique identifier that represents the GKE Identity Service for the provider. This is derived from the URL of the API server. For example, if the URL of the API server is https://cluster-server-url.com, then the EntityID should be https://cluster-server-url.com:8443. Note that the URL has no trailing slashes.
  • AssertionConsumerServiceURL - This is the callback URL on GKE Identity Service. The response is forwarded to this URL after the provider authenticates the user. For example, if the URL of the API server is https://cluster-server-url.com, then the AssertionConsumerServiceURL should be https://cluster-server-url.com:8443/saml-callback.

Provider setup information

This section provides additional provider-specific information for registering GKE Identity Service. If your provider is listed here, register GKE Identity Service with your provider as a client application using the following instructions.

Azure AD

  1. If you haven't done so already, Set up a tenant on Azure Active Directory.
  2. Register an application with the Microsoft identity platform.
  3. Open the App registrations page on the Azure Portal and select your application by name.
  4. Under Manage, select Authentication settings.
  5. Under Platform Configurations, select Enterprise Applications.
  6. In the Set up Single Sign-On with SAML, edit the Basic SAML Configuration.
  7. Under Identifier (Entity ID) section, select Add Identifier.
  8. Enter the EntityID and Reply URL that you derived from Registering GKE Identity Service with your provider
  9. Click Save to save these settings.
  10. Review the Attributes & Claims section to add any new attributes.
  11. Under SAML Certificates, click Certificate (Base64) to download the identity provider certificate.
  12. Under Set up app section, copy the Login URL and Azure AD identifier.

Share provider details

At the time of registering the provider, you must share the following information with your cluster administrator. These details are obtained from the provider metadata and required at the time of configuring GKE Identity Service with SAML.

  • idpEntityID - This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also called Azure AD identifier.
  • idpSingleSignOnURL - This is the endpoint to which the user is redirected for sign up. This is also called the Login URL.
  • idpCertificateDataList- This is the public certificate used by the identity provider for SAML assertion verification.