Configure workforce identity federation

This guide describes how to configure workforce identity federation with an identity provider (IdP) that supports OIDC or SAML 2.0.

For IdP-specific instructions, see the following:

Before you begin

You must have a Google Cloud organization set up.
Enable the Identity and Access Management (IAM) and Resource Manager APIs.
Enable the APIs
Install the Google Cloud CLI, then initialize it by running the following command:
```
gcloud init
```
Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
Your IdP must provide signed authentication information: OIDC IdPs must provide a JWT, and SAML IdP responses must be signed.

Required roles

To get the permissions that you need to configure workforce identity federation, ask your administrator to grant you the Workforce Identity Pool Admin (roles/iam.workforcePoolAdmin) IAM role on the organization. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Alternatively, the Owner basic role (roles/owner) also includes permissions to configure workforce identity federation. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.

Configure workforce identity federation

To configure workforce identity federation, you create a workforce identity pool and a workforce identity pool provider.

Create a workforce identity pool

To create the pool, execute the following command:

gcloud iam workforce-pools create WORKFORCE_POOL_ID \
    --organization=ORGANIZATION_ID \
    --description="DESCRIPTION" \
    --location=global

Replace the following:

WORKFORCE_POOL_ID: the workforce identity pool ID
ORGANIZATION_ID: the numeric organization ID
DESCRIPTION: a workforce identity pool description

Create a workforce identity pool provider

You can configure workforce identity pool providers in the following ways:

OIDC

To configure the OIDC provider, perform the following steps:

In your OIDC IdP, register a new application for Google Cloud workforce identity federation. Note the client ID and issuer URI provided by the IdP. You use them in this document.
If you plan to set up user access to the console, add the following redirect URL to your OIDC IdP:
```
https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
```
To learn how to configure console (federated) sign-in, see Set up user access to the console (federated).
In Google Cloud, to create an OIDC workforce identity pool provider that uses the implicit flow for web sign-in, run the following command:

gcloud iam workforce-pools providers create-oidc PROVIDER_ID \
  --workforce-pool=WORKFORCE_POOL_ID \
  --display-name="DISPLAY_NAME" \
  --description="DESCRIPTION" \
  --issuer-uri="ISSUER_URI" \
  --client-id="CLIENT_ID" \
  --web-sso-response-type="id-token" \
  --web-sso-assertion-claims-behavior="only-id-token-claims" \
  --attribute-mapping="ATTRIBUTE_MAPPING" \
  --attribute-condition="ATTRIBUTE_CONDITION" \
  --location=global

Replace the following:

PROVIDER_ID: a unique provider ID
WORKFORCE_POOL_ID: the workforce identity pool ID to connect your IdP to
DISPLAY_NAME an optional user-friendly display name for the provider; for example, idp-eu-employees
DESCRIPTION: an optional workforce provider description; for example, IdP for Partner Example Organization employees
ISSUER_URI: the OIDC issue URI that Issuer, in a valid URI format, that starts with https; for example, https://example.com/oidc
CLIENT_ID: the OIDC client ID that is registered with your OIDC IdP; the ID must match the aud claim of the JWT that is issued by your IdP
ATTRIBUTE_MAPPING: an attribute mapping; for example, google.subject=assertion.sub, google.groups=[assertion.group1,assertion.group2], attribute.costcenter=assertion.costcenter
ATTRIBUTE_CONDITION: an attribute condition; for example, assertion.role == 'gcp-users'

This command assigns the subject, list of assertion.group1, assertion.group2, and costcenter in the OIDC assertion to google.subject, google.groups, and attribute.costcenter attributes, respectively. The attribute condition ensures that only users with gcp-users roles can sign in using this workforce provider. It configures the provider to only include ID token claims for attribute mapping and attribute condition.

The prefix gcp- is reserved and can't be used in a pool or provider ID.

For OIDC federation, you can use assertion.NAME: a string equal to the value of the like-named claim in the ID token payload.

SAML

To configure the SAML provider, perform the following steps:

In your SAML IdP, register a new application for Google Cloud workforce identity federation.
Set the audience for SAML assertions. It is usually the SP Entity ID field in your IdP configuration. You must set it to the following URL:
```
https://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/PROVIDER_ID
```
If you plan to set up user access to the console, add the following redirect URL to your SAML IdP:
```
https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
```
See Set up user access to the console for more details on configuring Console Sign-in.
In Google Cloud, create a SAML workforce identity pool provider using your IdP's SAML metadata doc. You can download the SAML metadata XML document from your IdP. The document must include at least the following:
- A SAML entity ID for your IdP
- The single-sign-on URL for your IdP
- At least one signing public key.
See Key requirements later in this guide for details on signing keys.
```
gcloud iam workforce-pools providers create-saml PROVIDER_ID \
    --workforce-pool=WORKFORCE_POOL_ID \
    --display-name="DISPLAY_NAME" \
    --description="DESCRIPTION" \
    --idp-metadata-path=METADATA_FILE_PATH \
    --attribute-mapping="ATTRIBUTE_MAPPING" \
    --attribute-condition="ATTRIBUTE_CONDITION" \
    --location=global
```
Replace the following:
- PROVIDER_ID: the provider ID.
- WORKFORCE_POOL_ID: the pool ID.
- DISPLAY_NAME the display name for the provider; for example, idp-eu-employees
- DESCRIPTION: the description for the workforce identity pool provider; for example, IdP for Partner Example Organization EU employees.
- METADATA_FILE_PATH: the file path of the SAML metadata
- ATTRIBUTE_MAPPING: the attribute mapping; for example, google.subject=assertion.subject, google.groups=assertion.attributes.groupList, attribute.costcenter=assertion.attributes.costcenter[0]
- ATTRIBUTE_CONDITION: an attribute condition; for example: assertion.attributes.role[0] == 'gcp-users'
The prefix gcp- is reserved and can't be used in a pool or provider ID.

For SAML federation, you can use the following keywords in attribute mappings and conditions:

assertion.subject: a string equal to the NameID attribute in the SAML assertion.
assertion.attributes.NAME: a string list equal to the values of the like-named attributes in the SAML assertion.

Optional: Accept encrypted SAML assertions from your IdP

To enable your SAML 2.0 IdP to produce encrypted SAML assertions that can be accepted by workforce identity federation, do the following:

In workforce identity federation, do the following:

Create an asymmetric key pair for your workforce identity pool provider.
Download a certificate file that contains the public key.
Configure your SAML IdP to use the public key to encrypt SAML assertions it issues.

In your IdP, do the following:

Enable assertion encryption, also known as token encryption.
Upload the public key that you created in workforce identity federation.
Confirm that your IdP produces encrypted SAML assertions.

Note that, even with SAML encryption provider keys configured, workforce identity federation can still process a plaintext assertion.

Create workforce identity federation SAML assertion encryption keys

This section guides you through creating an asymmetric key pair that enables workforce identity federation to accept encrypted SAML assertions.

Google Cloud uses the private key to decrypt the SAML assertions that your IdP issues. To create an asymmetric key pair for use with SAML encryption, run the following command. To learn more, see Supported SAML encryption algorithms.

gcloud iam workforce-pools providers keys create KEY_ID \
    --workforce-pool WORKFORCE_POOL_ID \
    --provider PROVIDER_ID \
    --location global \
    --use encryption \
    --spec KEY_SPECIFICATION

Replace the following:

KEY_ID: a key name of your choice
WORKFORCE_POOL_ID: the pool ID
PROVIDER_ID: the provider ID
KEY_SPECIFICATION: the key specification, which can be one of rsa-2048, rsa-3072, and rsa-4096.

After the key pair is created, to download the public key into a certificate file, execute the following command. Only workload identity federation has access to the private key.

gcloud iam workforce-pools providers keys describe KEY_ID \
    --workforce-pool WORKFORCE_POOL_ID \
    --provider PROVIDER_ID \
    --location global \
    --format "value(keyData.key)" \
    > CERTIFICATE_PATH

Replace the following:

KEY_ID: the key name
WORKFORCE_POOL_ID: the pool ID
PROVIDER_ID: the provider ID
CERTIFICATE_PATH: the path to write the certificate to—for example, saml-certificate.cer or saml-certificate.pem

Configure your SAML 2.0-compliant IdP to issue encrypted SAML assertions

Configure your SAML IdP to use the public certificate downloaded from the last step to encrypt the SAML assertions that it issues. Consult your IdP team for specific instructions.

After you configure your IdP to encrypt SAML assertions, we recommend that you check to make sure that the assertions it generates are actually encrypted. Even with SAML assertion encryption configured, workforce identity federation can still process plaintext assertions.

Delete workforce identity federation encryption keys

To delete SAML encryption keys run the following command:

  gcloud iam workforce-pools providers keys delete KEY_ID \
      --workforce-pool WORKFORCE_POOL_ID \
      --provider PROVIDER_ID \
      --location global

Replace the following:

KEY_ID: the key name
WORKFORCE_POOL_ID: the pool ID
PROVIDER_ID: the provider ID

Supported SAML encryption algorithms

Workforce identity federation supports the following key transport algorithms:

Workforce identity federation supports the following block encryption algorithms:

SAML X.509 signing key requirements

The following key specifications apply to SAML X.509 signing keys:

An RSA public key that is wrapped in an X.509 v3 certificate.
Certificate validity requirements:
- notBefore: a timestamp of no more than 7 days in the future
- notAfter: a timestamp no more than 14 years in the future
Recommended algorithms:
- RSAwithSHA256 (supported key sizes (bits): 2048, 3072, 4096)
- ECDSAwithSHA256

A workforce identity pool provider can be configured with at most three signing keys at a given time. When multiple keys exist, Google Cloud iterates through them and attempts to use each non-expired key to fulfill a token exchange request.

As a security best practice, we strongly recommend that you don't reuse the same key pair with other services.

Key management

To update your IdP's signing keys, do the following:

Create a new asymmetric key pair and configure the SAML identity provider with the key pair. You initially mark it as inactive before activating it in a later step.
Download a SAML metadata XML document from your IdP.

Note: The document must contain both the existing signing key and the newly created signing key.
Update the workforce identity pool provider resource using the SAML metadata document. When multiple keys exist, Google Cloud iterates through each non-expired key and attempts to it to fulfill a token exchange request.

To update the workforce identity pool provider with the SAML metadata, execute the following command.
```
gcloud iam workforce-pools providers update-saml PROVIDER_ID \
    --workforce-pool=WORKFORCE_POOL_ID \
    --idp-metadata-path=SAML_METADATA_FILE_PATH \
    --location=global
```
Replace the following:
- PROVIDER_ID: the provider ID
- WORKFORCE_POOL_ID: the workforce identity pool ID
- SAML_METADATA_FILE_PATH: the path to the SAML metadata file
Wait for the operation returned from the previous step to complete (the operation is marked as done), and then in your SAML IdP, activate the new signing key. The old signing key is marked as inactive. Assertions issued by your IdP are signed using the new key.

The following steps are optional, but we recommend you perform them as a best practice:

Delete the old, now inactive, signing key from your IdP.
Download the SAML metadata XML document from your IdP.
Update the workforce identity pool provider resource using the SAML metadata document. Google Cloud refuses assertions that are signed with the expired signing key. To update the document, execute the following command:
```
gcloud iam workforce-pools providers update-saml PROVIDER_ID \
    --workforce-pool=WORKFORCE_POOL_ID \
    --idp-metadata-path=SAML_METADATA_FILE_PATH \
    --location=global
```
Replace the following:
- PROVIDER_ID: the provider ID
- WORKFORCE_POOL_ID: the workforce identity pool ID
- SAML_METADATA_FILE_PATH: the SAML metadata file path

Key deletion constraint

Google Cloud refuses assertions signed with a deleted key.

Represent workforce pool users in IAM policies

The following table shows the principal identifiers that you use to grant roles to a single user, a group of users, users carrying a particular claim, or all users from a workforce pool.

Identities	Identifier format
Single identity in a workforce identity pool	`principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE`
All workforce identities in a group	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID`
All workforce identities with a specific attribute value	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE`
All identities in a workforce identity pool	`principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/*`

Grant IAM roles to principals

You can grant roles to principals, such as single identities, groups of identities, or an entire pool.

To grant a role on a project to a principal, execute the following command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --role="ROLE" \
    --member="PRINCIPAL"

Replace the following:

PROJECT_ID: the project ID
ROLE: the role to set
PRINCIPAL: the principal; see Representing workforce identity pool users in IAM policies.

In the example that follows, the command grants the Storage Admin (roles/storage.admin) to all identities within the group GROUP_ID:

gcloud projects add-iam-policy-binding my-project \
    --role="roles/storage.admin" \
    --member="principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/group/GROUP_ID"

For more information about the principal format, see Represent workforce identity pool users in IAM policies.

Configure workforce identity federation

Before you begin

Required roles

Configure workforce identity federation

Create a workforce identity pool

Create a workforce identity pool provider

OIDC

SAML

Optional: Accept encrypted SAML assertions from your IdP

Create workforce identity federation SAML assertion encryption keys

Configure your SAML 2.0-compliant IdP to issue encrypted SAML assertions

Delete workforce identity federation encryption keys

Supported SAML encryption algorithms

SAML X.509 signing key requirements

Key management

Key deletion constraint

Represent workforce pool users in IAM policies

Grant IAM roles to principals

What's next