This topic describes how to set up Google Cloud Platform (GCP) as an identity provider for a Single Sign‑On for VMware Tanzu Application Service service plan by configuring OpenID Connect (OIDC) integration in both Single Sign‑On and GCP.

Overview

To set up the integration, follow the procedures below:

  1. Generate GCP Client Credentials
  2. Set up the OIDC Identity Provider in Single Sign‑On

Generate GCP Client Credentials

Follow the steps below to generate GCP client credentials:

  1. Log in to your GCP console.

  2. Under the Credentials tab, click Create credentials > OAuth client ID.

    A screenshot of the GCP console.
There are three side tabs: dashboard, library, and credentials. The credentials
tab is highlighted and the Credentials pane is showing. On the credentials pane
the create credentials dropdown has been selected. From the dropdown list, OAuth Client
ID is selected.

  3. In the configuration pane that appears, select Web application under Application type and enter any Name. Under Restrictions, leave Authorized JavaScript Origins blank and for Authorized redirect URIs enter a redirect URI using the following pattern:

    https://AUTH-DOMAIN.login.SYSTEM-DOMAIN/login/callback/ORIGIN-KEY
    

    Where:

    Warning: The origin key does not change after it is assigned, even if the Identity Provider Name is modified.

    A screenshot of the OAuth client configuration pane.
The available fields have been described in this step. The create and cancel buttons are at
the bottom of the screen.

  4. Click Create and record the client ID and client secret generated. You enter these values as your Relying Party OAuth Client ID and Relying Party OAuth Client Secret in the SSO Operator Dashboard in Set Up OIDC Identity Provider in Single Sign‑On below.

    A screenshot of the OAuth client dialog box, which has fields that contain the generated client ID and
client secret. Both fields have a copy button.

Set up the OIDC Identity Provider in Single Sign‑On

Follow the steps below to set up the OIDC identity provider in Single Sign‑On:

  1. Follow steps 1–6 in Add an OIDC Provider.

  2. In the Discovery Endpoint URL field, enter https://accounts.google.com/.well-known/openid-configuration.

  3. Enter your Relying Party OAuth Client ID and Relying Party OAuth Client Secret from the Generate GCP Client Credentials above.

  4. Click Fetch Scopes.

  5. Ensure that openid and email are selected as scopes. You can select additional scopes if you want.

  6. Under Attribute & Group Mapping (Optional) > User Attributes, enter email as the OIDC Claim Name for the email and user_name User Schema Attributes. This enables Single Sign‑On to identify the authenticated user.

    Screenshot of the Attribute & Group Mapping section.
There are OIDC Claim Name fields for email, user_name, given_name, family_name,
and phone_number. The word email has been entered into the email and user_name fields.

  7. (Optional) Configure additional attribute mappings.

  8. Click Create Identity Provider to save your settings.

  9. (Optional) Enable IdP Discovery for the service plan.

check-circle-line exclamation-circle-line close-line
Scroll to top icon