Log in with ZITADEL on Google Cloud with Workforce Identity Federation (OIDC)
This guide shows how to login users and assign roles with Workforce Identity Federation to Google Cloud.
It covers how to:
- create and configure your application in ZITADEL
- configure an Action to transform claims
- create and configure the connection to Google Cloud with Workforce Identity Federation using OpenID Connect (OIDC)
Prerequisites:
- existing ZITADEL Instance, if not present follow this guide
- existing ZITADEL Organization, if not present follow this guide
- existing ZITADEL project, if not present follow the first 3 steps here
- prerequisites on Google Cloud side in the configuration guide.
We have to switch between ZITADEL and a Google Cloud. If the headings begin with "ZITADEL" switch to the ZITADEL Console and if the headings start with "Google Cloud" please refer to the configuration guide on Google Cloud.
Google Cloud: Configure​
Follow the steps Before you begin, Required roles, and create a workforce identity pool (OIDC) in the in the configuration guide.
Before you create the workforce identity pool provider you should create your application in ZITADEL.
ZITADEL: Create the application​
In your existing project:
First of all we create the application in your project.
Google Cloud requires just an ID Token as JWT including the described required and optional scopes.
Create a new application and click on "I'm a pro. Skip this wizard."
- Application Type: Web
- Grant Types: Implicit
- Response Type: ID Token
- Authentication Method: None
You need to add the redirect URL and configure token settings after creating the application.
ZITADEL: Redirect url​
After creating, go to the application settings "Redirect settings" and add the redirect url from Googles configuration guide.
It looks something like https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
.
Save the settings.
Make sure to replace the WORKFORCE_POOL_ID
and WORKFORCE_PROVIDER_ID
with your values in the redirect url