Code flow

To create an OIDC provider that usesauthorization code flow for web sign-in, run thefollowing command:

gcloud iam workforce-pools providers create-oidcWORKFORCE_PROVIDER_ID \    --workforce-pool=WORKFORCE_POOL_ID \    --display-name="DISPLAY_NAME" \    --description="DESCRIPTION" \    --issuer-uri="ISSUER_URI" \    --client-id="OIDC_CLIENT_ID" \
    --client-secret-value="OIDC_CLIENT_SECRET" \    --web-sso-response-type="code" \    --web-sso-assertion-claims-behavior="merge-user-info-over-id-token-claims" \    --web-sso-additional-scopes="WEB_SSO_ADDITIONAL_SCOPES" \    --attribute-mapping="ATTRIBUTE_MAPPING" \    --attribute-condition="ATTRIBUTE_CONDITION" \    --jwk-json-path="JWK_JSON_PATH" \    --detailed-audit-logging \    --location=global

Replace the following:

• WORKFORCE_PROVIDER_ID: A unique workforce identity pool provider ID. The prefixgcp- is reserved and can't be used in a workforce identity pool or workforce identity pool provider ID.
• WORKFORCE_POOL_ID: The workforce identity pool ID to connect your IdP to.
• DISPLAY_NAME: An optional user-friendly display name for the provider; for example,idp-eu-employees.
• DESCRIPTION: An optional workforce provider description; for example,IdP for Partner Example Organization employees.
• ISSUER_URI: The OIDC issuer URI, in a valid URI format, that starts withhttps; for example,https://example.com/oidc. Note: For security reasons,ISSUER_URI must use the HTTPS scheme.
• OIDC_CLIENT_ID: The OIDC client ID that is registered with your OIDC IdP; the ID must match theaud claim of the JWT that is issued by your IdP.
• OIDC_CLIENT_SECRET: The OIDC client secret.
• WEB_SSO_ADDITIONAL_SCOPES: Optional additional scopes to send to the OIDC IdP for console (federated) or gcloud CLI browser-based sign-in.
• ATTRIBUTE_MAPPING: Anattribute mapping. The following is an example of an attribute mapping:

  google.subject=assertion.sub,google.groups=assertion.groups,attribute.costcenter=assertion.costcenter

  This example maps the IdP attributessubject,groups, andcostcenter in the OIDCassertion togoogle.subject,google.groups,andattribute.costcenter attributes, respectively.
• ATTRIBUTE_CONDITION: Anattribute condition; for example,assertion.role == 'gcp-users'. This example condition ensures that only users with the rolegcp-users can sign in using this provider.Warning: If your multi-tenant IdP has a single issuer URI, you must useattribute conditions to ensure that access is restricted to the correct tenant. For more information, seeUse attribute conditions when federating with GitHub or other multi-tenant identity providers.
• JWK_JSON_PATH: An optional path to alocally uploaded OIDC JWKs. If this parameter isn't supplied, Google Cloud instead uses your IdP's/.well-known/openid-configuration path to source the JWKs containing the public keys. For more information about locally uploaded OIDC JWKs, seemanage OIDC JWKs.Note: Local OIDC JWKs can be uploaded throughimplicit flow or code flow, but can only be used inprogrammatic flow, in which you directly call the STS/token endpoint with a credential from the third-party IdP to exchange for a Google Cloud access token for your workforce pool. You can't use local OIDC JWKs when signing in to the console (federated).

• Workforce Identity Federationdetailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, seeGeneral attribute mapping errors. To learn about Logging pricing, seeGoogle Cloud Observability pricing.

  To disable detailed audit logging for a workforce identity pool provider, omit the--detailed-audit-logging flag when you rungcloud iam workforce-pools providers create. To disable detailed audit logging, you can alsoupdate the provider.

Implicit flow

To create an OIDC workforce identity pool provider that uses theimplicit flowfor web sign-in, run the following command:

gcloud iam workforce-pools providers create-oidcWORKFORCE_PROVIDER_ID \    --workforce-pool=WORKFORCE_POOL_ID \    --display-name="DISPLAY_NAME" \    --description="DESCRIPTION" \    --issuer-uri="ISSUER_URI" \    --client-id="OIDC_CLIENT_ID" \    --web-sso-response-type="id-token" \    --web-sso-assertion-claims-behavior="only-id-token-claims" \    --web-sso-additional-scopes="WEB_SSO_ADDITIONAL_SCOPES" \    --attribute-mapping="ATTRIBUTE_MAPPING" \    --attribute-condition="ATTRIBUTE_CONDITION" \    --jwk-json-path="JWK_JSON_PATH" \    --detailed-audit-logging \    --location=global

Replace the following:

• WORKFORCE_PROVIDER_ID: A unique workforce identity pool provider ID. The prefixgcp- is reserved and can't be used in a workforce identity pool or workforce identity pool provider ID.
• WORKFORCE_POOL_ID: The workforce identity pool ID to connect your IdP to.
• DISPLAY_NAME: An optional user-friendly display name for the provider; for example,idp-eu-employees.
• DESCRIPTION: An optional workforce provider description; for example,IdP for Partner Example Organization employees.
• ISSUER_URI: The OIDC issuer URI, in a valid URI format, that starts withhttps; for example,https://example.com/oidc. Note: For security reasons,ISSUER_URI must use the HTTPS scheme.
• OIDC_CLIENT_ID: The OIDC client ID that is registered with your OIDC IdP; the ID must match theaud claim of the JWT that is issued by your IdP.
• WEB_SSO_ADDITIONAL_SCOPES: Optional additional scopes to send to the OIDC IdP for console (federated) or gcloud CLI browser-based sign-in.
• ATTRIBUTE_MAPPING: Anattribute mapping. The following is an example of an attribute mapping:

  google.subject=assertion.sub,google.groups=assertion.groups,attribute.costcenter=assertion.costcenter

  This example maps the IdP attributessubject,groups, andcostcenter in the OIDCassertion togoogle.subject,google.groups,andattribute.costcenter attributes, respectively.
• ATTRIBUTE_CONDITION: Anattribute condition; for example,assertion.role == 'gcp-users'. This example condition ensures that only users with the rolegcp-users can sign in using this provider.Warning: If your multi-tenant IdP has a single issuer URI, you must useattribute conditions to ensure that access is restricted to the correct tenant. For more information, seeUse attribute conditions when federating with GitHub or other multi-tenant identity providers.
• JWK_JSON_PATH: An optional path to alocally uploaded OIDC JWKs. If this parameter isn't supplied, Google Cloud instead uses your IdP's/.well-known/openid-configuration path to source the JWKs containing the public keys. For more information about locally uploaded OIDC JWKs, seemanage OIDC JWKs.Note: Local OIDC JWKs can be uploaded throughimplicit flow or code flow, but can only be used inprogrammatic flow, in which you directly call the STS/token endpoint with a credential from the third-party IdP to exchange for a Google Cloud access token for your workforce pool. You can't use local OIDC JWKs when signing in to the console (federated).

• Workforce Identity Federationdetailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, seeGeneral attribute mapping errors. To learn about Logging pricing, seeGoogle Cloud Observability pricing.

  To disable detailed audit logging for a workforce identity pool provider, omit the--detailed-audit-logging flag when you rungcloud iam workforce-pools providers create. To disable detailed audit logging, you can alsoupdate the provider.

Code flow

1. In the Google Cloud console, go to theWorkforce Identity Pools page:

   Go to Workforce Identity Pools

2. In theWorkforce Identity Pools table, select the pool for whichyou want to create the provider.

3. In theProviders section,clickaddAdd Provider.

4. In theSelect a Provider vendor list, select your IdP.

   If your IdP isn't listed, then selectGeneric Identity Provider.

5. InSelect an authentication protocol, selectOpenID Connect (OIDC).

6. In theCreate a provider section, do the following:

   1. InName, enter the name for the provider.
   2. InDescription, enter the description for the provider.
   3. InIssuer (URL), enter the issuer URI. The OIDC issuer URI must be in a valid URI format and start withhttps; for example,https://example.com/oidc.
   4. InClient ID, enter the OIDC client ID that is registeredwith your OIDC IdP; the ID must match theaud claim of the JWT that isissued by your IdP.

   5. To create a provider that is enabled, make sureEnable provider ison.

   6. ClickContinue.

7. In theShare your provider information with IdP section, copy the URL.In your IdP, configure this URL as the redirect URI, which informs your IdPwhere to send the assertion token after logging in.

8. ClickContinue.

9. In theConfigure OIDC Web Sign-in section, do the following:

   1. In theFlow type list, selectCode.

   2. In theAssertion claims behavior list, select either of the following:

      • User info and ID token
      • Only ID token

   3. In theClient secret field, enter the client secret from your IdP.

   4. Optional: If you selectedOkta as your IdP, add any extra OIDC scopes in theAdditional scopes beyond openid, profile, and email field.

10. ClickContinue.

11. InConfigure provider, you can configure an attribute mappingand an attribute condition. To create anattribute mapping,do the following. You can provide either the IdP field name or aCEL-formattedexpression that returns a string.

    1. Required: InOIDC 1, enter the subject from the IdP— for example,assertion.sub.

    2. Optional: To add additional attribute mappings, do the following:

       1. ClickAdd mapping.
       2. InGooglen, wheren is a number, enter one oftheGoogle Cloud-supported keys.
       3. In the correspondingOIDCn field, enter the name of theIdP-specific field to map, in CEL format.

    3. If you selectedMicrosoft Entra ID as your IdP, you can increase the number of groups.

       1. SelectUse Extra Attributes.
       2. In theExtra Attributes Issuer URI field, enter the issuer URL.
       3. In theExtra Attributes Client ID field, enter the client ID.
       4. In theExtra Attributes Client Secret field, enter the client secret.
       5. In theExtra Attributes Type list, select an attribute type for extra attributes.
       6. In theExtra Attributes Filter field, enter a filter expression that is used when querying the Microsoft Graph API for groups.

    4. To create an attribute condition, do the following:

       Warning: If your multi-tenant IdP has a single issuer URI, you must useattribute conditions to ensure that access is restricted to the correct tenant. For more information, seeUse attribute conditions when federating with GitHub or other multi-tenant identity providers.

       1. ClickAdd condition.
       2. In theAttribute Conditions field, enter a condition inCEL format;for example,assertion.role == 'gcp-users'. This example condition ensures that only users with the rolegcp-users can sign in using this provider.

    5. To turn on detailed audit logging, inDetailed logging, click theEnable attribute value audit logging toggle.

       Workforce Identity Federationdetailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, seeGeneral attribute mapping errors. To learn about Logging pricing, seeGoogle Cloud Observability pricing.

       To disable detailed audit logging for a workforce identity pool provider, omit the--detailed-audit-logging flag when you rungcloud iam workforce-pools providers create. To disable detailed audit logging, you can alsoupdate the provider.

12. To create the provider, clickSubmit.

Implicit flow

1. In the Google Cloud console, go to theWorkforce Identity Pools page:

   Go to Workforce Identity Pools

2. In theWorkforce Identity Pools table, select the pool for whichyou want to create the provider.

3. In theProviders section,clickadd Add Provider.

4. In theSelect a Provider vendor list, select your IdP.

   If your IdP isn't listed, then selectGeneric Identity Provider.

5. InSelect an authentication protocol, selectOpenID Connect (OIDC).

6. In theCreate a provider section, do the following:

   1. InName, enter the name for the provider.
   2. InDescription, enter the description for the provider.
   3. InIssuer (URL), enter the issuer URI. The OIDC issuer URI must be in a valid URI format and start withhttps; for example,https://example.com/oidc.
   4. InClient ID, enter the OIDC client ID that is registeredwith your OIDC IdP; the ID must match theaud claim of the JWT that isissued by your IdP.
   5. To create a provider that is enabled, make sureEnable provider is on.
   6. ClickContinue.

7. In theShare your provider information with IdP section, copy the URL.In your IdP, configure this url as the redirect URI, which informs your IdPwhere to send the assertion token after logging in.

8. ClickContinue.

9. In theConfigure OIDC Web Sign-in section, do the following:

   1. In theFlow type list, selectID Token.

   2. In theAssertion claims behavior list,ID token is selected.

   3. Optional: If you selectedOkta as your IdP, add any extra OIDC scopes in theAdditional scopes beyond openid, profile, and email field.

10. ClickContinue.

11. InConfigure provider, you can configure an attribute mappingand an attribute condition. To create anattribute mapping,do the following. You can provide either the IdP field name or aCEL-formattedexpression that returns a string.

    1. Required: InOIDC 1, enter the subject from the IdP; for example,assertion.sub.

    2. Optional: To add additional attribute mappings, do the following:

       1. ClickAdd mapping.
       2. InGooglen, wheren is a number, enter one oftheGoogle Cloud-supported keys.
       3. In the correspondingOIDCn field, enter the name of theIdP-specific field to map, in CEL format.

    3. If you selectedMicrosoft Entra ID as your IdP, you can increase the number of groups.

       1. SelectUse Extra Attributes.
       2. In theExtra Attributes Issuer URI field, enter the issuer URL.
       3. In theExtra Attributes Client ID field, enter the client ID.
       4. In theExtra Attributes Client Secret field, enter the client secret.
       5. In theExtra Attributes Type list, select an attribute type for extra attributes.
       6. In theExtra Attributes Filter field, enter a filter expression that is used when querying the Microsoft Graph API for groups.

    4. To create an attribute condition, do the following:

       Warning: If your multi-tenant IdP has a single issuer URI, you must useattribute conditions to ensure that access is restricted to the correct tenant. For more information, seeUse attribute conditions when federating with GitHub or other multi-tenant identity providers.

       1. ClickAdd condition.
       2. In theAttribute Conditions field, enter a condition inCEL format;for example,assertion.role == 'gcp-users'. This example condition ensures that only users with the rolegcp-users can sign in using this provider.

    5. To turn on detailed audit logging, inDetailed logging, click theEnable attribute value audit logging toggle.

       Workforce Identity Federationdetailed audit logging logs information received from your IdP to Logging. Detailed audit logging can help you troubleshoot your workforce identity pool provider configuration. To learn how to troubleshoot attribute mapping errors with detailed audit logging, seeGeneral attribute mapping errors. To learn about Logging pricing, seeGoogle Cloud Observability pricing.

       To disable detailed audit logging for a workforce identity pool provider, omit the--detailed-audit-logging flag when you rungcloud iam workforce-pools providers create. To disable detailed audit logging, you can alsoupdate the provider.

12. To create the provider, clickSubmit.