After the initial identity provider is set up and connected to an identity provider, you can connect additional existing identity providers using the Google Distributed Cloud (GDC) air-gapped appliance console.
To get the permissions that you need to connect an existing identity provider, ask your Organization IAM Admin to grant you the Organization IAM Admin role. The initial admin that you specify when connecting the identity provider must also have the Organization IAM Admin role assigned.
To connect the identity provider, you must have a single client ID and secret from your identity provider.
There are two options to connect to the identity provider:
Connect to an existing OIDC provider
- Sign in to the GDC console. The following example shows the
console after signing into an organization called
org-1
: - In the navigation menu, click Identity and Access > Identity.
- Click Setup New Identity Provider.
In the Configure identity provider section, complete the following steps and click Next:
- In the Identity provider list, select Open ID Connect (OIDC).
- Enter an Identity provider name.
- In the Google Distributed Cloud URL field, enter the URL you use to access GDC.
- In the Issuer URI field, enter the URL where authorization requests are sent to your identity provider. The Kubernetes API server uses this URL to discover public keys for verifying tokens. The URL must use HTTPS.
- In the Client ID field, enter the ID for the client
application that makes authentication requests to the identity provider.
- In the Client secret section, select Configure client secret (Recommended).
- In the Client secret field, enter the client secret, which is a shared secret between your identity provider and GDC air-gapped appliance.
Optional: In the Prefix field, enter a prefix. The prefix is the Identity provider prefix field, enter a prefix. The prefix is added to the beginning of user claims and group claims. Prefixes are used to distinguish between different identity provider configurations. For example, if you set a prefix of
myidp
, a user claim might bemyidpusername@example.com
and a group claim might bemyidpgroup@example.com
. The prefix must also be included when assigning role-based access control (RBAC) permissions to groups.Optional: In the Encryption section, select Enable encrypted tokens.
To enable encryption tokens, you must have the IdP Federation Admin role. Ask your Organization IAM Admin to grant you the IdP Federation Admin (
idp-federation-admin
) role.- In the Key ID field, enter your key ID. The key ID is a public key of a JSON web encryption token (JWT). Your OIDC provider sets up and provisions a key ID.
- In the Decryption key field, enter the decryption key in PEM format. The decryption key is an asymmetric key that decrypts an encryption. Your OIDC provider sets up and provisions a decryption key.
In the Configure attributes section, complete the following steps and click Next:
- In the Certificate authority for OIDC provider field, enter
a base64-encoded PEM-encoded certificate for the identity provider. For
more information, see
https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail.
- To create the string, encode the certificate, including
headers, into
base64
. - Include the resulting string in as a single line.
Example:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tC...k1JSUN2RENDQWFT==
- To create the string, encode the certificate, including
headers, into
- In the Group claim field, enter the name of the claim in the identity provider token that holds the user's group information.
- In the User claim field, enter the claim to identify each
user. The default claim for many providers is
sub
. You can choose other claims, such asemail
orname
, depending on the identity provider. Claims other thanemail
are prefixed with the issuer URL to prevent naming clashes. - Optional: If your identity provider uses GKE Identity Service, in the Custom attributes section, click Add and enter key-value pairs for additional claims about a user, such as their department or profile picture URL.
- If your identity provider requires additional scopes, in the
Scopes field, enter the comma-separated scopes to send to the
identity provider. For example, Microsoft Azure and Okta require the
offline_access
scope. - In the Extra parameters section, enter any additional
key-value pairs (comma-separated) required by your identity provider.
If you are authorizing a group, pass in
resource=token-groups-claim
. If your authorization server prompts for consent for authentication with Microsoft Azure and Okta, setprompt=consent
. For Cloud Identity, setprompt=consent,access_type=offline
.
- In the Certificate authority for OIDC provider field, enter
a base64-encoded PEM-encoded certificate for the identity provider. For
more information, see
https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail.
In the Specify initial admins section, complete the following steps and click Next:
- Choose whether to add individual users or groups as initial administrators.
- In the Username or group alias field, enter the user or
group email address to access the organization. If you are the
administrator, enter your email address for example
sally@example.com
. The prefix is added before the user name, such asmyidp-sally@example.com
.
Review your selections and click Setup.
The new identity provider profile is available in the Identity profiles list.
Connect to an existing SAML provider
- Sign in to the GDC console.
- In the navigation menu, click Identity and Access > Identity.
In the Configure identity provider section, complete the following steps and click Next:
- In the Identity provider drop-down menu, select Security Assertion Markup Language (SAML).
- Enter an Identity provider name.
- In the Identity ID field, enter the ID for the client application that makes authentication requests to the identity provider.
- In the SSO URI field, enter the URL to the single sign on endpoint
of the provider. For example:
https://www.idp.com/saml/sso
. In the Identity provider prefix field, enter a prefix. The prefix is added to the beginning of user and group claims. Prefixes distinguish between different identity provider configurations. For example: If you set a prefix of
myidp
, a user claim might show asmyidpusername@example.com
and a group claim might show asmyidpgroup@example.com
. You must also include the prefix when assigning RBAC permissions to groups.Optional: In the SAML Assertions section, select Enable encrypted SAML assertions.
To enable encrypted SAML assertions, you must have the IdP Federation Admin role. Ask your Organization IAM Admin to grant you the IdP Federation Admin (
idp-federation-admin
) role.- In the Encryption certificate field, enter your encryption certificate in PEM format. You receive your encryption certificate after generating the SAML provider.
- In the Decryption key field, enter your decryption key. You receive your decryption key after generating the SAML provider.
Optional: In the SAML Signed requests section, check Enable signed SAML requests.
- In the Signing certificate field, enter your signing certificate in the PEM file format. Your SAML provider sets up and produces you a signing certificate.
- In the Signing key field, enter your signing key in the PEM file format. Your SAML provider sets up and produces you a signing key.
In the Configure attributes page, complete the following steps and click Next:
- In the IDP certificate field, enter
a base64-encoded PEM-encoded certificate for the identity provider. For
more information, see
https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail.
- To create the string, encode the certificate, including
headers, into
base64
. - Include the resulting string in as a single line. For example:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tC...k1JSUN2RENDQWFT==
.
- To create the string, encode the certificate, including
headers, into
- Enter any additional certificates in the field Additional IDP certificate.
- In the User attribute field, enter the attribute to identify each
user. The default attribute for many providers is
sub
. You can choose other attributes, such asemail
orname
, depending on the identity provider. Attributes other thanemail
are prefixed with the issuer URL to prevent naming clashes. - In the Group attribute field, enter the name of the attribute in the identity provider token that holds the user's group information.
- Optional: If your identity provider uses GKE Identity Service, in the Attribute mapping area, click Add and enter key-value pairs for additional attributes about a user, such as their department or profile picture URL.
- In the IDP certificate field, enter
a base64-encoded PEM-encoded certificate for the identity provider. For
more information, see
https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail.
In the Specify initial admins section, complete the following steps and click Next:
- Choose whether to add individual users or groups as initial administrators.
- In the Username field, enter the user or
group email address to access the organization. If you are the
administrator, enter your email address for example
kiran@example.com
. The prefix is added before the user name, such asmyidp-kiran@example.com
.
In the Review page, check all the values of each identity configuration before continuing. Click Back to return to the previous pages and make necessary corrections. When you've configured all values to your specification, click Setup.