Open in app

Sign in

Write

Sign in

Simplify Access Management with Google Cloud Workforce Identity Federation — Part 2 Okta SSO Integration

Prashant Kulkarni
Google Cloud - Community

--

In Part 1 we looked at overview and use cases of Workforce Identity Federation. In this post we will look at integration with Okta for console access.

To summarize Part 1, Workforce Identity Federation allows organizations to establish trust between their identity provider (IdP) and Google Cloud. It enables users to access Google Cloud resources using their existing corporate credentials, reducing the need for separate login credentials. By leveraging standard protocols such as SAML 2.0, Workforce Identity Federation simplifies access management and enhances security.

Okta is a leading Identity and Access Management (IAM) platform that provides robust SSO capabilities, user provisioning, and lifecycle management. By integrating Okta with Google Cloud, organizations can leverage Okta’s advanced identity management features while benefiting from Google Cloud’s powerful infrastructure.

First, we will configure Workforce Identity in Google Cloud.

  1. Before you start make sure you’ve a Google Cloud project and IAM Workforce Pool Admin (roles/iam.workforcePoolAdmin) IAM role on the organization
  2. Create a Workforce Identity pool and then proceed to configure Okta.
gcloud iam workforce-pools create okta-wf-pool \
    --organization="ORGANIZATION_ID" \
    --location="global"

After you configured Okta and have the IDP metadata file, come back here and follow the instructions

3. Create a Workforce Identity pool provider, we will use SAML here. The IDP metadata can be obtained from Okta

gcloud iam workforce-pools providers create-saml WORKFORCE_PROVIDER_ID \
    --workforce-pool="WORKFORCE_POOL_ID" \
    --attribute-mapping="ATTRIBUTE_MAPPING" \
    --attribute-condition="ATTRIBUTE_CONDITION" \
    --idp-metadata-path="XML_METADATA_PATH" \
    --location="global"

The tricky part is, how to map the attributes and use the condition. Here is how I configured it.

gcloud iam workforce-pools providers create-saml okta-provider \
    --workforce-pool="okta-wf-pool" \
    --attribute-mapping="google.subject=assertion.sub, google.groups=assertion.groups, attribute.email=assertion.email" \
    --attribute-condition="'Google-SecComp' in assertion.groups" \
    --idp-metadata-path="/home/admin_/okta-metadata.xml" \
    --location="global"

Let us go over it:

a. The attribute, subject from SAML assertion is mapped to Google subject. So in my case, it is email. I also have groups attribute mapped from Okta SAML assertion to Google groups. Groups are considered “principalSet”, while a single user is considered as “principal” in Workforce Identity (and in Workload)

<saml2:Subject>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">pskulkarni@google.com</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2023-06-04T17:56:28.426Z" Recipient="https://auth.cloud.google/signin-callback/locations/global/workforcePools/okta-wf-pool/providers/okta-provider"/>
        </saml2:SubjectConfirmation>
    </saml2:Subject>

I want to grant access to the Google Cloud console for members of Google-SecComp group, so that’s what I’ve defined in the attribute condition. This means, I expect Okta to provide this in groups, otherwise the access is denied (right so)

Okta does so using the “groups” SAML attribute in the assertion.

<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Google-SecComp
                </saml2:AttributeValue>
            </saml2:Attribute>

Okta Configurations

We will assume you already have an Okta account.

Configuring the Google Cloud Identity Provider in Okta:

  1. In the SAML settings , use below settings. Note the URL is auth.cloud.google, a new interface to validate workforce sign-in.

2. In the “Sign On” tab, go to SAML setup instructions, copy the IDP metadata xml into a file and save it.

3. This file will be required in the Step # 3, for Workforce Identity provider configuration.

Now last but not least, we need to execute a step to grant access to principalSet to Google Cloud resources. You will do this by adding this IAM policy to your project. Now I’m granting Storage Admin role, for you it would be depending upon whatever use case you’re trying to implement.

 gcloud projects add-iam-policy-binding <PROJECT_ID> \
    --role="roles/storage.admin" \
    --member="principalSet://iam.googleapis.com/locations/global/workforcePools/okta-wf-pool/group/Google-SecComp"

That’s it! You’re all set to test.

Testing

In your Okta dashboard, click on the Application icon we just added.

If everything is configured correctly, you will get this page (or an error in case there are misconfigurations)

Click “Continue” and you’ll land on the project home page.

Verify your logged in identity, you’re all set!

--

--

Prashant Kulkarni
Google Cloud - Community

Written by Prashant Kulkarni

34 Followers
Writer for

A proud Googler! Cloud Security and Astronomy junkie. Loves dogs and cats! Opinions are of my own.