Configure OIDC providers to authenticate to clusters

This document is forplatform administrators, or whoever manages identity setup in your organization. It explains how to configure your chosenOpenID Connect (OIDC) identity provider for authentication to Kubernetes clusters that aren'ton Google Cloud.

Register a client application with your provider

During the authentication flow for users, the cluster uses aclient IDandsecret to connect to your identity provider. You can get a client ID anda secret from your identity provider by configuring a client application forKubernetes. The procedure to set up a client application depends on yourprovider. You can find some specific registration details for popular providersin the next section.

For redirect URLs, specify the following values:

  • https://console.cloud.google.com/kubernetes/oidc is the redirect URL for the Google Cloud console.
  • http://localhost:PORT/callback is the redirect URL for the gcloud CLI. You can specify any port number that is higher than 1024.
  • APISERVER_URL:11001/finish-login is the redirect URL if you choose toauthenticate using FQDN access. ReplaceAPISERVER_URL with the FQDN of the cluster's Kubernetes API server. For example, if theAPISERVER_URL ishttps://apiserver.company.com, then theredirect_uri should behttps://apiserver.company.com:11001/finish-login.

Save the client ID and secret you get from the registration step. Share these details withcluster administrators who need to set up their clusters.

Identity provider setup information

This section provides steps for registering a client application withMicrosoft Active Directory Federation Services (AD FS) or with Microsoft EntraID.

Microsoft AD FS

Use a set of AD FS management wizards to configure your AD FS server and AD userdatabase.

  1. Open the AD FS management pane.

  2. SelectApplication Groups >Actions >Add an Application Group.

  3. SelectServer Application. Enter a name and description of your choice.ClickNext.

  4. Enter your two redirect URLs, as specified above. You are given a client ID.AD FS identifies the cluster by using this client ID. Save theclient ID for later.

  5. SelectGenerate a shared secret. The Kubernetes authenticationmechanism uses this secret to authenticate to the AD FS server. Save thesecret for later.

Configuring security groups (optional)

  1. In AD FS management, selectRelying party trusts >Add a new relyingparty trust.

  2. SelectClaims aware, and clickStart.

  3. SelectEnter data about relying party manually.

  4. Enter a display name.

  5. Skip the next two steps.

  6. Enter a Relying party trust identifier. Suggestion:token-groups-claim.

  7. ForAccess control policy, selectPermit everyone. This means thatall users share their security group information with the gcloud CLI andGoogle Cloud console.

  8. ClickFinish.

Mapping LDAP attributes to claim names

  1. In AD FS management, selectRelying party trusts >Edit claim issuancepolicy.

  2. SelectSend LDAP Attributes as Claims, and clickNext.

  3. ForClaim rule name, entergroups.

  4. ForAttribute store, selectActive Directory.

  5. In the table, forLDAP Attribute, select:

    • AD FS version 5.0 and later:Token-Groups Qualified by Domain name
    • AD FS versions before 5.0:Token Groups - Qualified Names

  6. ForOutgoing Claim Type, select:

    • AD FS version 5.0 and later:Group
    • AD FS versions before 5.0:groups

  7. ClickFinish, and clickApply.

Registering the Kubernetes client application with AD FS

Open a PowerShell window in Administrator mode, and enter this command:

Grant-AD FSApplicationPermission `  -ClientRoleIdentifier "[CLIENT_ID]" ` -ServerRoleIdentifier[SERVER_ROLE_IDENTIFIER] `  -ScopeName "allatclaims", "openid"

Replace the following:

  • [CLIENT_ID] is the client ID that you obtained previously.

  • [SERVER_ROLE_IDENTIFIER] is the claim identifier you enteredpreviously. Recall that the suggested identifier wastoken-groups-claim.

Microsoft Entra ID

To register an OAuth client with Microsoft Entra ID, complete the steps at the followinglinks:

  1. If you haven't done so already,Set up a Microsoft Entra tenant.

  2. Register an application in Microsoft Entra ID.

  3. In the Microsoft Entra admin center, open theApp registrations pageand select your application. The application overview page opens.

  4. Create a client secret:

    1. In the navigation menu, clickCertificates & Secrets.
    2. Click theClient secrets tab.
    3. ClickNew client secret. Name your secret and clickAdd.
    4. Save theValue of the secret in a secure location. You will notbe able to retrieve it after you close or refresh the page.

    For more information, seeAdd and manage application credentials in Microsoft Entra ID.

  5. Add redirect URIs:

    1. In the navigation menu, clickAuthentication.
    2. In thePlatform configurations section, clickAdd a platform. TheConfigure platforms pane opens.
    3. ClickWeb.
    4. In theRedirect URIs field, enterhttp://localhost:PORT/callback for thegcloud CLI login flow. Pick aPORT greaterthan 1024.
    5. ClickConfigure.
    6. ClickAdd URI to add another URI.
    7. Enterhttps://console.cloud.google.com/kubernetes/oidc for theGoogle Cloud console login flow.
    8. Save your configuration.

    For more information, seeHow to add a redirect URI to your application.

Now your client registration is complete. You should have the following info to share with your cluster administrator:

  • Issuer URI:https://login.microsoftonline.com/TENANT_ID/v2.0. Thetenant ID is displayed as theDirectory (tenant) ID in the applicationoverview page in the Microsoft Entra admin center.

  • Client ID: The client ID is displayed as theApplication (client) IDin the application overview page in the Microsoft Entra admin center.

  • Client Secret: The value of the client secret that you created whenyou registered the client application. If you don't have access to thisvalue, generate a new secret.

Advanced setup for Microsoft Entra ID

Consider using this advanced setup only when you want to set up clusterswith Microsoft Entra ID group-based authorization policies where users ofthe clusters belong to more than 200 Microsoft Entra ID groups.The advanced setup for Microsoft Entra ID supports the following platforms:

  • On-premises Google Distributed Cloud (both VMware and bare metal): From version 1.14
  • GKE on AWS: From version 1.14 (Kubernetes version of 1.25 or later)
  • GKE on Azure: From version 1.14 (Kubernetes version of 1.25 or later)

Before you begin, make sure that each user has an associated email addressconfigured as their identifier in Microsoft Entra ID. This email address isused to assert the user's identity and authenticate the request.

You need to ensure that the client you 'registered in the previous section has delegated permissions to get user and group information fromthe Microsoft Graph API. These permissions let the Kubernetesauthentication mechanism access the Microsoft Graph API endpoints from which group information isfetched. Without this step, the cluster can't get group informationfor the user, which causes RBAC authorization policies based on groups tonot work as expected.

You need to have global admin or organization admin permissions to perform this setup step.

  1. Sign in to the Microsoft Entra admin center.
  2. Select the Microsoft Entra tenant that has your client application.
  3. SelectApp registrations, and then select your client application.
  4. SelectAPI permissions - Add a permission - Microsoft Graph - Delegated permissions.
  5. Under theGroup tab, checkGroup.Read.All. Under theUser tab, checkUser.Read.All.
  6. ClickAdd permissions to complete the process.
  7. Grant consent on behalf of all users by clickingGrant adminconsent for.... For more information, seeMore on API permissions and admin consent.

Share the identity provider details

Share the following provider information with your cluster administrator for cluster setup:

  • The provider's issuer URI
  • The client secret
  • The client ID
  • The redirect URI and port you specified for the gcloud CLI
  • The user name field (claim) that your provider uses to identify users in its tokens (the assumed default when configuring clusters issub)
  • The group name field (claim) that your provider uses to return security groups, if any.
  • Any additional scopes or parameters that are specific to your provider, as described in the previous section. For example, if your authorization server prompts for consent for authentication with Microsoft Entra ID and Okta, the cluster admin needs to specifyprompt=consent as a parameter. If you have configured AD FS to provide security group information, the relevant additional parameter isresource=token-groups-claim (or whatever you chose as your relying party trust identifier).
  • (Optional) If your provider is not using a certificate signed by a public certificate authority (for example if you are using self-signed certificates), then you will need a certificate (or certificate chain) of the identity provider. The certificate (or certificate chain) needs to contain the root certificate at a minimum (partial chains are accepted, as long as the chain is contiguous back to the root certificate). When providing this value in ClientConfig, it needs to be formatted as a base64 encoded string. To create the string, concatenate the complete PEM-encoded certificate(s) into a single string and then base64 encode it.

For more information about the configuration parameters for clusters,seeConfigure clusters.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.