This guide describes how you can perform common operations with Workforce Identity Federation. To set up Workforce Identity Federation, see the following guides:
- Configure Workforce Identity Federation with Microsoft Entra ID and sign in users
- Configure Workforce Identity Federation with Okta and sign in users
- Configure Workforce Identity Federation on an IdP that supports OIDC or SAML
Before you begin
You must have a Google Cloud organization set up.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
Manage pools
This section shows you how to manage workforce identity pools.
Create a pool
To create a workforce pool, execute the following command:
Console
To create the workforce identity pool, do the following:
In the Google Cloud console, go to the Workforce Identity Pools page:
Click Create pool and do the following:
In the Name field, enter the display name of the pool. The pool ID is automatically derived from the name as you type, and it is displayed under the Name field. You can update the pool ID by clicking Edit next to the pool ID.
Optional: In Description, enter a description of the pool.
Session duration is set by default. To enter a custom session duration, click Edit. Session duration determines how long the Google Cloud access tokens, console (federated) sign-in sessions, and gcloud CLI sign-in sessions from this workforce pool are valid. The duration must be greater than 15 minutes (900s) and less than 12 hours (43200s). If session duration is not set, it defaults to a duration of one hour (3600s).
To create the pool in the enabled state, make sure that Enabled Pool is on.
To create the workforce identity pool, click Next.
gcloud
To create the workforce identity pool, run the following command:
gcloud iam workforce-pools create WORKFORCE_POOL_ID \
--organization=ORGANIZATION_ID \
--display-name="DISPLAY_NAME" \
--description="DESCRIPTION" \
--session-duration=SESSION_DURATION \
--location=global
Replace the following:
WORKFORCE_POOL_ID
: an ID that you choose to represent your Google Cloud workforce pool. For information on formatting the ID, see the Query parameters section in the API documentation.ORGANIZATION_ID
: the numeric organization ID of your Google Cloud organization.DISPLAY_NAME
: Optional. A display name for your workforce identity pool.DESCRIPTION
: Optional. A workforce identity pool description.SESSION_DURATION
: Optional. The session duration, which determines how long the Google Cloud access tokens, console (federated) sign-in sessions, and gcloud CLI sign-in sessions from this workforce pool are valid. The duration must be greater than 15 minutes (900s) and less than 12 hours (43200s). If session duration is not set, it defaults to a duration of one hour (3600s).
Describe a pool
Console
To describe a specific workforce pool using the Google Cloud console, do the following:
Go to the Workforce Identity Pools page:
In Workforce pools, select the pool
gcloud
To describe a specific workforce pool using the gcloud CLI, execute the following command:
gcloud iam workforce-pools describe WORKFORCE_POOL_ID \
--location=global
Replace WORKFORCE_POOL_ID
with the workforce pool ID
that you chose when you created the pool.
List pools
Console
To list workforce pools using the Google Cloud console, do the following:
Go to the Workforce Identity Pools page:
In the table, view the list of pools.
gcloud
To list the workforce pools in the organization, execute the following command:
gcloud iam workforce-pools list \
--organization=ORGANIZATION_ID \
--location=global
Replace ORGANIZATION_ID with your organization ID.
Update a pool
Console
To update a specific workforce pool using the Google Cloud console, do the following:
Go to the Workforce Identity Pools page:
In the table, select the pool.
Update the pool parameters.
Click Save Pool.
gcloud
To update a specific workforce pool, execute the following command:
gcloud iam workforce-pools update WORKFORCE_POOL_ID \
--description=DESCRIPTION \
--location=global
Replace the following:
WORKFORCE_POOL_ID
: the workforce pool IDDESCRIPTION
: the description of the pool
Delete a pool
Console
To delete a specific workforce pool using the Google Cloud console, do the following:
Go to the Workforce Identity Pools page:
In Workforce pools, click
Delete on the pool you want to delete.Follow additional instructions.
gcloud
To delete a workforce identity pool, execute the following command:
gcloud iam workforce-pools delete WORKFORCE_POOL_ID \
--location=global
Replace WORKFORCE_POOL_ID
with the workforce pool ID.
Undelete a pool
You can undelete a workforce identity pool that was deleted within the last 30 days.
To undelete a pool, execute the following command:
gcloud iam workforce-pools undelete WORKFORCE_POOL_ID \
--location=global
Replace WORKFORCE_POOL_ID
with the workforce pool ID.
Configure a provider within the workforce pool
This section explains how you can use gcloud
commands to configure workforce
identity pool providers:
Create an OIDC provider
This section describes how to create a workforce identity pool provider for an OIDC IdP.
Console
Code flow
In the Google Cloud console, go to the Workforce Identity Pools page:
In the Workforce Identity Pools table, select the pool for which you want to create the provider.
In the Providers table, click Add Provider.
In Select a protocol, select Open ID Connect (OIDC).
In Create a pool provider, do the following:
- In Name, enter a name for the provider.
- In Issuer (URL), enter the issuer URI. The OIDC issuer URI must be in a valid URI format and start with
https
; for example,https://example.com/oidc
. - Enter the Client ID, the OIDC client ID that is registered
with your OIDC IdP; the ID must match the
aud
claim of the JWT that is issued by your IdP. - To create a provider that is enabled, make sure Enabled Provider is on.
- Click Continue.
In Response type do the following. Response type is used only for a web-based single-sign-on flow.
- In Response type, select Code.
- In Client secret, enter the client secret from your IdP.
In Assertion claims behavior, select either of the following:
- User info and ID token
- Only ID token
Click Continue.
In Configure provider, you can configure an attribute mapping and an attribute condition. To create an attribute mapping, do the following. You can provide either the IdP field name or a CEL-formatted expression that returns a string.
Required: In OIDC 1, enter the subject from the IdP; for example,
assertion.sub
.Optional: To add additional attribute mappings, do the following:
- Click Add mapping.
- In Google n, where n is a number, enter one of the Google Cloud-supported keys.
- In the corresponding OIDC n field, enter the name of the IdP-specific field to map, in CEL format.
To create an attribute condition, do the following:
- Click Add condition.
- In Attribute Conditions, enter a condition in CEL format;
for example,
assertion.role == 'gcp-users'
. This example condition ensures that only users with the rolegcp-users
can sign in using this provider.
To create the provider, click Submit.
Implicit flow
In the Google Cloud console, go to the Workforce Identity Pools page:
In the Workforce Identity Pools table, select the pool for which you want to create the provider.
In the Providers table, click Add Provider.
In Select a protocol, select Open ID Connect (OIDC).
In Create a pool provider, do the following:
- In Name, enter a name for the provider.
- In Issuer (URL), enter the issuer URI. The OIDC issuer URI must be in a valid URI format and start with
https
; for example,https://example.com/oidc
. - Enter the Client ID, the OIDC client ID that is registered
with your OIDC IdP; the ID must match the
aud
claim of the JWT that is issued by your IdP. - To create a provider that is enabled, make sure Enabled Provider is on.
- Click Continue.
In Response type do the following. Response type is used only for a web-based single-sign-on flow.
- In Response type, select ID token.
- Click Continue.
In Configure provider, you can configure an attribute mapping and an attribute condition. To create an attribute mapping, do the following. You can provide either the IdP field name or a CEL-formatted expression that returns a string.
Required: In OIDC 1, enter the subject from the IdP; for example,
assertion.sub
.Optional: To add additional attribute mappings, do the following:
- Click Add mapping.
- In Google n, where n is a number, enter one of the Google Cloud-supported keys.
- In the corresponding OIDC n field, enter the name of the IdP-specific field to map, in CEL format.
To create an attribute condition, do the following:
- Click Add condition.
In Attribute Conditions, enter a condition in CEL format; for example,
assertion.role == 'gcp-users'
. This example condition ensures that only users with the rolegcp-users
can sign in using this provider.
To create the provider, click Submit.
gcloud
Code flow
To create an OIDC provider that uses authorization code flow for web sign-in, run the following command:
gcloud iam workforce-pools providers create-oidc PROVIDER_ID \ --workforce-pool=WORKFORCE_POOL_ID \ --display-name="DISPLAY_NAME" \ --description="DESCRIPTION" \ --issuer-uri="ISSUER_URI" \ --client-id="OIDC_CLIENT_ID" \
--client-secret-value="OIDC_CLIENT_SECRET" \ --web-sso-response-type="code" \ --web-sso-assertion-claims-behavior="merge-user-info-over-id-token-claims" \ --web-sso-additional-scopes="WEB_SSO_ADDITIONAL_SCOPES" \ --attribute-mapping="ATTRIBUTE_MAPPING" \ --attribute-condition="ATTRIBUTE_CONDITION" \ --jwk-json-path="JWK_JSON_PATH" \ --location=global
Replace the following:
PROVIDER_ID
: A unique provider ID. The prefixgcp-
is reserved and can't be used in a pool or provider ID.WORKFORCE_POOL_ID
: The workforce identity pool ID to connect your IdP to.DISPLAY_NAME
: An optional user-friendly display name for the provider; for example,idp-eu-employees
.DESCRIPTION
: An optional workforce provider description; for example,IdP for Partner Example Organization employees
.ISSUER_URI
: The OIDC issuer URI, in a valid URI format, that starts withhttps
; for example,https://example.com/oidc
. Note: For security reasons,ISSUER_URI
must use the HTTPS scheme.OIDC_CLIENT_ID
: The OIDC client ID that is registered with your OIDC IdP; the ID must match theaud
claim of the JWT that is issued by your IdP.OIDC_CLIENT_SECRET
: The OIDC client secret.WEB_SSO_ADDITIONAL_SCOPES
: Optional additional scopes to send to the OIDC IdP for console (federated) or gcloud CLI browser-based sign-in.ATTRIBUTE_MAPPING
: An attribute mapping. The following is an example of an attribute mapping:
This example maps the IdP attributesgoogle.subject=assertion.sub, google.groups=assertion.group1, attribute.costcenter=assertion.costcenter
subject
,group1
, andcostcenter
in the OIDC assertion togoogle.subject
,google.groups
, andattribute.costcenter
attributes, respectively.ATTRIBUTE_CONDITION
: An attribute condition; for example,assertion.role == 'gcp-users'
. This example condition ensures that only users with the rolegcp-users
can sign in using this provider.JWK_JSON_PATH
: An optional path to a locally uploaded OIDC JWKs. If this parameter isn't supplied, Google Cloud instead uses your IdP's/.well-known/openid-configuration
path to source the JWKs containing the public keys. For more information about locally uploaded OIDC JWKs, see manage OIDC JWKs.
locations/global/workforcePools/enterprise-example-organization-employees
.
Implicit flow
To create an OIDC workforce identity pool provider that uses the implicit flow for web sign-in, run the following command:
gcloud iam workforce-pools providers create-oidc PROVIDER_ID \ --workforce-pool=WORKFORCE_POOL_ID \ --display-name="DISPLAY_NAME" \ --description="DESCRIPTION" \ --issuer-uri="ISSUER_URI" \ --client-id="OIDC_CLIENT_ID" \ --web-sso-response-type="id-token" \ --web-sso-assertion-claims-behavior="only-id-token-claims" \ --web-sso-additional-scopes="WEB_SSO_ADDITIONAL_SCOPES" \ --attribute-mapping="ATTRIBUTE_MAPPING" \ --attribute-condition="ATTRIBUTE_CONDITION" \ --jwk-json-path="JWK_JSON_PATH" \ --location=global
Replace the following:
PROVIDER_ID
: A unique provider ID. The prefixgcp-
is reserved and can't be used in a pool or provider ID.WORKFORCE_POOL_ID
: The workforce identity pool ID to connect your IdP to.DISPLAY_NAME
: An optional user-friendly display name for the provider; for example,idp-eu-employees
.DESCRIPTION
: An optional workforce provider description; for example,IdP for Partner Example Organization employees
.ISSUER_URI
: The OIDC issuer URI, in a valid URI format, that starts withhttps
; for example,https://example.com/oidc
. Note: For security reasons,ISSUER_URI
must use the HTTPS scheme.OIDC_CLIENT_ID
: The OIDC client ID that is registered with your OIDC IdP; the ID must match theaud
claim of the JWT that is issued by your IdP.WEB_SSO_ADDITIONAL_SCOPES
: Optional additional scopes to send to the OIDC IdP for console (federated) or gcloud CLI browser-based sign-in.ATTRIBUTE_MAPPING
: An attribute mapping. The following is an example of an attribute mapping:
This example maps the IdP attributesgoogle.subject=assertion.sub, google.groups=assertion.group1, attribute.costcenter=assertion.costcenter
subject
,group1
, andcostcenter
in the OIDC assertion togoogle.subject
,google.groups
, andattribute.costcenter
attributes, respectively.ATTRIBUTE_CONDITION
: An attribute condition; for example,assertion.role == 'gcp-users'
. This example condition ensures that only users with the rolegcp-users
can sign in using this provider.JWK_JSON_PATH
: An optional path to a locally uploaded OIDC JWKs. If this parameter isn't supplied, Google Cloud instead uses your IdP's/.well-known/openid-configuration
path to source the JWKs containing the public keys. For more information about locally uploaded OIDC JWKs, see manage OIDC JWKs.
locations/global/workforcePools/enterprise-example-organization-employees
.
Create a SAML provider
This section describes how to create a workforce identity pool provider for a SAML IdP.
Console
To configure the SAML provider using the Google Cloud console, do the following:
In the Google Cloud console, go to the Workforce Identity Pools page:
In the Workforce Identity Pools table, select the pool for which you want to create the provider.
In the Providers table, click Add Provider.
In Select a protocol, select SAML.
In Create a pool provider do the following:
In Name, enter a name for the provider.
Optional: In Description, enter a description for the provider.
In IDP metadata file (XML), select the metadata XML file that you generated earlier in this guide.
Ensure that Enabled provider is enabled.
Click Continue.
In Configure provider, do the following:
In Attribute mapping, enter a CEL expression for
google.subject
.Optional: To enter other mappings, click Add mapping and enter other mappings—for example:
This example maps the IdP attributesgoogle.subject=assertion.subject, google.groups=assertion.attributes['https://example.com/aliases'], attribute.costcenter=assertion.attributes.costcenter[0]
assertion.subject
,assertion.attributes['https://example.com/aliases']
, andassertion.attributes.costcenter[0]
to the Google Cloud attributesgoogle.subject
,google.groups
, andgoogle.costcenter
, respectively.Optional: To add an attribute condition, click Add condition and enter a CEL expression representing an attribute condition. For example, to limit the
ipaddr
attribute to a certain IP range you can set the conditionassertion.attributes.ipaddr.startsWith('98.11.12.')
. This example condition ensures that only users with an IP address that starts with98.11.12.
can sign in using this workforce provider.Click Continue.
To create the provider, click Submit.
gcloud
To create the provider, run the following command:
gcloud iam workforce-pools providers create-saml WORKFORCE_PROVIDER_ID \
--workforce-pool="WORKFORCE_POOL_ID" \
--attribute-mapping="ATTRIBUTE_MAPPING" \
--attribute-condition="ATTRIBUTE_CONDITION" \
--idp-metadata-path="XML_METADATA_PATH" \
--location="global"
Replace the following:
WORKFORCE_PROVIDER_ID
: the workforce provider IDWORKFORCE_POOL_ID
: the workforce pool IDATTRIBUTE_MAPPING
: an attribute mapping; for example, to map a subject, the attribute mapping is as follows:google.subject=assertion.subject, google.groups=assertion.attributes['https://example.com/aliases'], attribute.department=assertion.attributes.department[0]
ATTRIBUTE_CONDITION
: an optional attribute condition; for example,assertion.subject.endsWith("@example.com")
XML_METADATA_PATH
: the path to the XML-formatted metadata file from your IdP
The prefix gcp-
is reserved and can't be used in a pool or provider ID.
This command assigns the subject and department in the SAML assertion to
google.subject
and attribute.department
attributes, respectively.
Additionally, the attribute condition ensures that only users with a
subject ending in @example.com
can sign in using this workforce
provider.
Describe a provider
Console
To view a provider, do the following:
- Go to the Workforce Identity Pools page:
Go to Workforce Identity Pools
In the table, select the pool for which you want to view the provider.
In the Providers table, select the provider.
gcloud
To describe a provider, run the following command:
gcloud iam workforce-pools providers describe PROVIDER_ID \
--workforce-pool=WORKFORCE_POOL_ID \
--location=global
Replace the following:
PROVIDER_ID
: the provider IDWORKFORCE_POOL_ID
: the workforce pool ID
List providers
Console
To view a provider, do the following:
- Go to the Workforce Identity Pools page:
Go to Workforce Identity Pools
In the table, select the pool for which you want to list the providers.
In the Providers table you can see a list of providers.
gcloud
To list providers, execute the following command:
gcloud iam workforce-pools providers list \
--workforce-pool=WORKFORCE_POOL_ID \
--location=global
Replace WORKFORCE_POOL_ID
with the workforce pool ID.
Update a provider
Console
To view a provider, do the following:
- Go to the Workforce Identity Pools page:
Go to Workforce Identity Pools
In the table, select the pool for which you want to view the provider.
In the Providers table, click
Edit.Update the provider.
To save the updated provider, click Save.
gcloud
To update an OIDC provider after creation, execute the following command:
gcloud iam workforce-pools providers update-oidc PROVIDER_ID \
--workforce-pool=WORKFORCE_POOL_ID \
--description="DESCRIPTION" \
--location=global
Replace the following:
PROVIDER_ID
: the provider IDWORKFORCE_POOL_ID
: the workforce pool IDDESCRIPTION
: the description
Delete a provider
To delete a provider, execute the following command:
gcloud iam workforce-pools providers delete PROVIDER_ID \
--workforce-pool=WORKFORCE_POOL_ID \
--location=global
Replace the following:
PROVIDER_ID
: the provider IDWORKFORCE_POOL_ID
: the workforce pool ID
Undelete a provider
To undelete a provider deleted within the last 30 days, execute the following command:
gcloud iam workforce-pools providers undelete PROVIDER_ID \
--workforce-pool=WORKFORCE_POOL_ID \
--location=global
Replace the following:
PROVIDER_ID
: the provider IDWORKFORCE_POOL_ID
: the workforce pool ID
Manage OIDC JWKs
This section shows you how to manage OIDC JWKs in workforce pool providers.
Create a provider and upload OIDC JWKs
To create OIDC JWKs, see JWT, JWS, JWE, JWK, and JWA Implementations.
To upload an OIDC JWK file when you create a workforce pool provider,
run the gcloud iam workforce-pools providers create-oidc command with --jwk-json-path="JWK_JSON_PATH"
.
Replace JWK_JSON_PATH
with the path to the JWKs JSON
file.
This operation uploads the keys from the file.
Update OIDC JWKs
To update OIDC JWKs, run the
gcloud iam workforce-pools providers update-oidc command with --jwk-json-path="JWK_JSON_PATH"
.
Replace JWK_JSON_PATH
with the path to the
JWKs JSON file.
This operation replaces any existing uploaded keys with the ones in the file.
Delete all uploaded OIDC JWKs
To delete all of the uploaded OIDC JWKs and instead use the issuer URI
to fetch the keys, run the gcloud iam workforce-pools providers update-oidc
command with --jwk-json-path="JWK_JSON_PATH"
.
Replace JWK_JSON_PATH
with the path to an empty file.
Use the --issuer-uri
flag to set the issuer URI.
This operation deletes all of your existing uploaded keys.
What's next
- Configure Workforce Identity Federation with Microsoft Entra ID and sign in users
- Configure Workforce Identity Federation with Okta and sign in users
- Delete Workforce Identity Federation users and their data
- Learn which Google Cloud products support Workforce Identity Federation