Configure workforce identity federation

OIDC

To configure the OIDC provider, perform the following steps:

1. In your OIDC IdP, register a new application for Google Cloud workforce identity federation. Note the client ID and issuer URI provided by the IdP. You use them in this document.

2. If you plan to set up user access to the console, add the following redirect URL to your OIDC IdP:

   https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
   

   To learn how to configure console (federated) sign-in, see Set up user access to the console (federated).

3. In Google Cloud, create an OIDC workforce identity pool provider by executing the following command:

gcloud iam workforce-pools providers create-oidc PROVIDER_ID \
  --workforce-pool=WORKFORCE_POOL_ID \
  --display-name="DISPLAY_NAME" \
  --description="DESCRIPTION" \
  --issuer-uri="ISSUER_URI" \
  --client-id="CLIENT_ID" \
  --attribute-mapping="ATTRIBUTE_MAPPING" \
  --attribute-condition="ATTRIBUTE_CONDITION" \
  --location=global

Replace the following:

• PROVIDER_ID: a unique provider ID
• WORKFORCE_POOL_ID: the workforce identity pool ID to connect your IdP to
• DISPLAY_NAME an optional user-friendly display name for the provider; for example, idp-eu-employees
• DESCRIPTION: an optional workforce provider description; for example, IdP for Partner Example Organization employees
• ISSUER_URI: the OIDC issue URI that Issuer, in a valid URI format, that starts with https; for example, https://example.com/oidc
• CLIENT_ID: the OIDC client ID that is registered with your OIDC IdP; the ID must match the aud claim of the JWT that is issued by your IdP
• ATTRIBUTE_MAPPING: an attribute mapping; for example, google.subject=assertion.sub, google.groups=[assertion.group1,assertion.group2], attribute.costcenter=assertion.costcenter
• ATTRIBUTE_CONDITION: an attribute condition; for example, assertion.role == 'gcp-users'

For OIDC federation, you can use assertion.NAME: a string equal to the value of the like-named claim in the ID token payload.

SAML

To configure the SAML provider, perform the following steps:

1. In your SAML IdP, register a new application for Google Cloud workforce identity federation.

2. Set the audience for SAML assertions. It is usually the SP Entity ID field in your IdP configuration. You must set it to the following URL:

   https://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/PROVIDER_ID
   

3. If you plan to set up user access to the console, add the following redirect URL to your SAML IdP:

   https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
   

   See Set up user access to the console for more details on configuring Console Sign-in.

4. In Google Cloud, create a SAML workforce identity pool provider using your IdP's SAML metadata doc. You can download the SAML metadata XML document from your IdP. The document must include at least the following:

   • A SAML entity ID for your IdP
   • The single-sign-on URL for your IdP
   • At least one signing public key.

   See Key requirements later in this guide for details on signing keys.

   gcloud iam workforce-pools providers create-saml PROVIDER_ID \
       --workforce-pool=WORKFORCE_POOL_ID \
       --display-name="DISPLAY_NAME" \
       --description="DESCRIPTION" \
       --idp-metadata-path=METADATA_FILE_PATH \
       --attribute-mapping="ATTRIBUTE_MAPPING" \
       --attribute-condition="ATTRIBUTE_CONDITION" \
       --location=global
   

   Replace the following:

   • PROVIDER_ID: the provider ID.
   • WORKFORCE_POOL_ID: the pool ID.
   • DISPLAY_NAME the display name for the provider; for example, idp-eu-employees
   • DESCRIPTION: the description for the workforce identity pool provider; for example, IdP for Partner Example Organization EU employees.
   • METADATA_FILE_PATH: the file path of the SAML metadata
   • ATTRIBUTE_MAPPING: the attribute mapping; for example, google.subject=assertion.subject, google.groups=assertion.attributes.groupList, attribute.costcenter=assertion.attributes.costcenter[0]
   • ATTRIBUTE_CONDITION: an attribute condition; for example: assertion.attributes.role[0] == 'gcp-users'

For SAML federation, you can use the following keywords in attribute mappings and conditions:

• assertion.subject: a string equal to the NameID attribute in the SAML assertion.
• assertion.attributes.NAME: a string list equal to the values of the like-named attributes in the SAML assertion.

Key requirements

The following key specifications apply to SAML:

• An RSA public key that is wrapped in an X.509 v3 certificate.

• Certificate validity requirements:

  • notBefore: a timestamp of no more than 7 days in the future.
  • notAfter: a timestamp no more than 14 years in the future.

• Recommended algorithms:

  • RSAwithSHA256 (supported key sizes (bits): 2048, 3072, 4096)
  • ECDSAwithSHA256

A workforce identity pool provider can be configured with at most three signing keys at a given time. When multiple keys exist, Google Cloud iterates through them and attempts to use each non-expired key to fulfill a token exchange request.

As a security best practice, we strongly recommend that you don't reuse the same key pair with other services.

Key management

To update your IdP's signing keys, do the following:

1. Create a new asymmetric key pair and configure the SAML identity provider with the key pair. You initially mark it as inactive before activating it in a later step.

2. Download a SAML metadata XML document from your IdP.

3. Update the workforce identity pool provider resource using the SAML metadata document. When multiple keys exist, Google Cloud iterates through each non-expired key and attempts to it to fulfill a token exchange request.

   To update the workforce identity pool provider with the SAML metadata, execute the following command.

   gcloud iam workforce-pools providers update-saml PROVIDER_ID \
       --workforce-pool=WORKFORCE_POOL_ID \
       --idp-metadata-path=SAML_METADATA_FILE_PATH \
       --location=global
   

   Replace the following:

   • PROVIDER_ID: the provider ID
   • WORKFORCE_POOL_ID: the workforce identity pool ID
   • SAML_METADATA_FILE_PATH: the path to the SAML metadata file

4. Wait for the operation returned from the previous step to complete (the operation is marked as done), and then in your SAML IdP, activate the new signing key. The old signing key is marked as inactive. Assertions issued by your IdP are signed using the new key.

The following steps are optional, but we recommend you perform them as a best practice:

1. Delete the old, now inactive, signing key from your IdP.
2. Download the SAML metadata XML document from your IdP.

3. Update the workforce identity pool provider resource using the SAML metadata document. Google Cloud refuses assertions that are signed with the expired signing key. To update the document, execute the following command:

   gcloud iam workforce-pools providers update-saml PROVIDER_ID \
       --workforce-pool=WORKFORCE_POOL_ID \
       --idp-metadata-path=SAML_METADATA_FILE_PATH \
       --location=global
   

   Replace the following:

   • PROVIDER_ID: the provider ID
   • WORKFORCE_POOL_ID: the workforce identity pool ID
   • SAML_METADATA_FILE_PATH: the SAML metadata file path

Key deletion constraint

Google Cloud refuses assertions signed with a deleted key.