Configure GCP as an OIDC Identity Provider

This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Single Sign-On (SSO) service plan by configuring OpenID Connect (OIDC) integration in both Pivotal Web Services (PWS) and GCP.

Generate GCP Client Credentials

  1. Log in to your Google Cloud Platform console.

  2. Under the Credentials tab, click Create credentials > OAuth client ID.

    Gcp create oauth

  3. In the configuration pane that appears, select Web application under Application type and enter any Name. Under Restrictions, leave Authorized JavaScript Origins blank and for Authorized redirect URIs enter a redirect URI of the form https://AUTH_DOMAIN/login/callback/ORIGIN_KEY, where:

    • AUTH_DOMAIN is the full URL generated based on the Auth Domain setting you entered when you created the service plan that you are integrating with GCP.
    • ORIGIN_KEY is based on the Identity Provider Name you set in the SSO dashboard in Set Up OIDC Identity Provider in SSO below. This value should have no spaces or uppercase letters. You might need to change this value later.

    Gcp config oauth

  4. Click Create and record the client ID and client secret generated. You will enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO dashboard in Set Up OIDC Identity Provider in SSO below.

    Gcp oauth keypair

Set Up OIDC Identity Provider in SSO

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the drop-down menu.

  3. Click New Identity Provider.

  4. Enter an Identity Provider Name. This value in all lowercase with dashes replacing spaces becomes your Origin Key. For example, Example Google Origin becomes example-google-origin. If you did not enter this for your OAuth Client’s authorized redirect URIs, go back and edit the value in Google Cloud Platform.

  5. Enter a Description. Space developers see this description when they select an identity provider for their app.

  6. Select OpenID Connect as the Identity Provider type.

    Gcp new idp

  7. Make sure the Enable Discovery checkbox is selected, to enable OIDC discovery.

  8. For Discovery Endpoint URL, enter https://accounts.google.com/.well-known/openid-configuration.

  9. Click Fetch Scopes.

  10. Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.

    Gcp oidc settings

  11. Make sure that openid and email are selected as scopes. You can select additional scopes if you want.

    Gcp scopes

  12. Under Advanced Settings > User Attributes, map user_name to email. This enables SSO to identify the authenticated user.

    Gcp advanced settings

  13. (Optional) Configure additional attribute mappings.

  14. Click Create Identity Provider to save your settings.

  15. (Optional) Enable identity provider discovery for the service plan.