Open in app

Sign in

Write

Sign in

Workforce Identity Federation with Okta as external IdP — Bring your own ID

Abhilash Reddy Thumma
Google Cloud - Community
Published in
5 min readFeb 15, 2023

Workforce Identity Federation (BYOID) lets GCP customers use their existing identity provider (IdP) to securely access Google Cloud services without setting up new identities.

  • It allows workforce users (employees, contractors, partners, etc.) to access GCP services and APIs, leveraging their established identity management solution using standard protocols (SAML, OIDC).
  • In contrast to Cloud Identity’s Google Cloud Directory Sync (GCDS), workforce identity federation eliminates the need to synchronize user identities from your current IdP to Google Cloud identities and extends Google Cloud’s identity management capabilities to support attribute-based, sync less single sign-on.
Workforce Identity Federation flow

Benefits

  • Provide access to GCP using customer’s own IdP, leveraging associated privacy and data policies
  • Shortens the time for new customers to onboard to GCP and provides them seamless experience.
  • Enables customers to meet sovereignty

The setup process slightly differs depending on whether you use the CLI or the web console. The web console has a few more steps. In this article, we are setting up to use the web console.

Basically, the setup process consists of four main tasks.

  • It starts with configuring your identity provider. Okta, in this case (Section-A)
  • Create the workforce pool (Section-B)
  • Create the workforce provider (Section-C)
  • Finally, assigning the permissions (Section-D)

Prerequisites

Before we begin, we should have a

  • Google Cloud organization setup.
  • A billing/quota project with either an owner role or workforcePoolAdmin role
  • Identity and Access Management (IAM) API and Cloud Resource Manager API are enabled for the identified project.

Now, open the cloud shell and prepare to put Workforce Identity Federation to the test.

Set Environment variables and enable services

Let’s start by creating some variables to make the commands easier. Please update the variable to match your configuration.

export ORGANIZATION_ID=1234567890
export PROJECT_NAME=abhe-demo-project
export WORKFORCEPOOL_NAME=abhe-demo-wfpool1
export WORKFORCEPOOL_PROVIDER=abhe-demo-wf-provider1

Section-A: Create Okta application.

If you don’t already have an Okta account, you can create one using your business email ID https://www.okta.com/free-trial/.

  1. Login to the Okta admin dashboard.
  2. Go to Applications > Applications.
  3. Click Create App Integration.
  4. In Sign-in method, select SAML 2.0 and click Next.

5. In the general settings, provide the name of the application.

6. In the SAML setting, provide the following details

Below are the values set in the SAML settings screen above

Single Sign-on URL: https://auth.cloud.google/signin-callback/locations/global/workforcePools/abhe-demo-wfpool1/providers/abhe-demo-wf-provider1

SP Entity ID: https://iam.googleapis.com/locations/global/workforcePools/abhe-demo-wfpool1/providers/abhe-demo-wf-provider1

Default Relay State: https://console.cloud.google/

Note: The values for the ‘workforcePools’ and ‘providers’ configured in the above step should be the same as those we will use while configuring them on the GCP side.

7. Once the SAML configuration is complete, you will need to download the SAML metadata file for your Okta app. Follow the below steps to do this:

  • Go to your Okta App.
  • Click the Sign On tab.
  • In the SAML Signing Certificates section, click Actions > View IdP metadata for the active certificate.
  • In the new page that opens, copy the XML metadata.

Save the metadata as a local XML file, where you will be running the gcloud CLI commands.

Section-B: Create Workforce Pool

Once the Okta application setup is complete and the XML file is downloaded, run the following gcloud command to create the workforce pool.

## Create Workforce Pool
gcloud iam workforce-pools create $WORKFORCEPOOL_NAME \
    --location=global \
    --organization=$ORGANIZATION_ID \
    --description=$WORKFORCEPOOL_NAME

Section-C: Create Workforce Pool Provider

After you create the workforce pool, create the SAML workforce pool provider.

## Create Workforce Pool Provider
gcloud iam workforce-pools providers create-saml $WORKFORCEPOOL_PROVIDER \
    --workforce-pool=$WORKFORCEPOOL_NAME 
    --attribute-mapping="google.subject=assertion.subject,attribute.department=assertion.attributes.department[0],google.groups=assertion.attributes.groups" \
    --attribute-condition="'GlobalGCPUserGroup' in assertion.attributes.groups" \
    --idp-metadata-path=/home/abhilashthumma/okta-idp-metadata.xml \
    --location=global

## Validate Workforce Identity provider
gcloud iam workforce-pools providers describe $WORKFORCEPOOL_PROVIDER \
   --workforce-pool $WORKFORCEPOOL_NAME \
   --location global

Note:

  • ‘GlobalGCPUserGroup’ used in the attribute-condition parameter is the same group name we used in the Okta application configuration (Section-A, step 6).
  • okta-idp-metadata.xml file is the same SAML metadata file we downloaded from Okta (Section-A, step 7).

Section-D: Assign permissions through IAM policy binding

In this step, we are going to assign permissions to the users.

## This command gives BigQuery job user access to all the GlobalGCPUserGroup members
gcloud projects add-iam-policy-binding $PROJECT_NAME \
    --role="roles/bigquery.jobUser" \
    --member="principalSet://iam.googleapis.com/locations/global/workforcePools/$WORKFORCEPOOL_NAME/group/GlobalGCPUserGroup"


## This command gives Storage admin access to members who belong to MLEngg department and who are part of GlobalGCPUserGroup
## So these users get both Storage Admin access and BigQuery job user access
gcloud projects add-iam-policy-binding $PROJECT_NAME \
    --role="roles/storage.admin" \
    --member="principalSet://iam.googleapis.com/locations/global/workforcePools/$WORKFORCEPOOL_NAME/attribute.department/MLEngg"

Testing

Click on the single-sign-on URL created in Okta. This will redirect to the Google Cloud Console.

https://dev-123456789.okta.com/app/dev-123456789_gcp_1/xxxxxxx/sso/saml

SSO login screen

Alternatively, login to Okta and click on the application you created earlier.

Okta console when logged in as a regular user (Non-Admin)

Once you successfully authenticate, you will be redirected to the Google Cloud console, asking if you signin

On the Okta side, I created two users to test the permissions — testuser1@thumma.cloud and testuser2@thumma.cloud

testuser1 is part of a GlobalGCPUserGroup group on Okta. So this user will only have BigQuery jobuser permissions and but will fail to access the Cloud Storage

testuser1 successfully able to access BigQuery
testuser1 failed to access Cloud Storage

testuser2 is part of GlobalGCPUserGroup group and also have value MLEngg for “department” attribute in Okta. This grants testuser2 additional storage admin privileges.

testuser2 successfully able to access Cloud Storage

Want to learn more about Workforce Identity Federation — look here

Thank you for reading :)

Questions?
If you have any questions, I’ll be happy to read them in the comments.

Happy Learning !

Google Cloud Platform
Okta
Gcp Security Operations
Iam Roles

--

--

Abhilash Reddy Thumma
Google Cloud - Community

Written by Abhilash Reddy Thumma

8 Followers
Writer for

Enterprise Architect - Google Cloud

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams