Configure GCP as an OIDC Identity Provider
Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.
This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Single Sign-On (SSO) service plan by configuring OpenID Connect (OIDC) integration in both Pivotal Web Services (PWS) and GCP.
Generate GCP Client Credentials
Log in to your Google Cloud Platform console.
Under the Credentials tab, click Create credentials > OAuth client ID.
In the configuration pane that appears, select Web application under Application type and enter any Name. Under Restrictions, leave Authorized JavaScript Origins blank and for Authorized redirect URIs enter a redirect URI of the form
https://AUTH_DOMAIN/login/callback/ORIGIN_KEY
, where:AUTH_DOMAIN
is the full URL generated based on the Auth Domain setting you entered when you created the service plan that you are integrating with GCP.ORIGIN_KEY
is based on the Identity Provider Name you set in the SSO dashboard in Set Up OIDC Identity Provider in SSO below. This value should have no spaces or uppercase letters. You might need to change this value later.
Click Create and record the client ID and client secret generated. You will enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO dashboard in Set Up OIDC Identity Provider in SSO below.
Set Up OIDC Identity Provider in SSO
Log into the SSO dashboard at
https://p-identity.run.pivotal.io
using your administrator credentials.Click the plan name and select Manage Identity Providers from the drop-down menu.
Click New Identity Provider.
Enter an Identity Provider Name. This value in all lowercase with dashes replacing spaces becomes your Origin Key. For example,
Example Google Origin
becomesexample-google-origin
. If you did not enter this for your OAuth Client’s authorized redirect URIs, go back and edit the value in Google Cloud Platform.Enter a Description. Space developers see this description when they select an identity provider for their app.
Select OpenID Connect as the Identity Provider type.
Make sure the Enable Discovery checkbox is selected, to enable OIDC discovery.
For Discovery Endpoint URL, enter
https://accounts.google.com/.well-known/openid-configuration
.Click Fetch Scopes.
Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.
Make sure that
openid
andemail
are selected as scopes. You can select additional scopes if you want.Under Advanced Settings > User Attributes, map
user_name
toemail
. This enables SSO to identify the authenticated user.(Optional) Configure additional attribute mappings.
Click Create Identity Provider to save your settings.
(Optional) Enable identity provider discovery for the service plan.