GCP Configuration Using Ping Identity as an OpenID Connect Identity Provider

1.0 Introduction

This article outlines the necessary steps required to configure a connection between Fortanix Key Insight, Google Cloud Platform (GCP), and Ping Identity as an OpenID Connect (OIDC) Identity Provider (IdP) using the Client credentials flow (machine-to-machine authentication).

Federated authentication in GCP enables workloads to access Google Cloud resources using credentials issued by an external Identity Provider, such as Ping Identity. This setup allows organizations to use a centralized Identity Provider without distributing Google service account keys to external systems.

Configuring Ping Identity as an OIDC IdP with GCP involves the following steps:

• Register a client application in Ping Identity.

• Obtain the client ID and client secret.

• Obtain the OpenID configuration document (well-known) URL.

• Verify the client application configuration.

• Configure a Workload Identity Pool and Provider in GCP.

• Grant the required IAM permissions to the Google service account.

• Onboard the GCP connection in the Fortanix Key Insight user interface (UI).

WARNING

When configuring Google Cloud with an external identity provider (such as Ping Identity), even minor mismatches in settings (such as issuer URL, audience, claims mapping, or similar settings) can cause authentication failures, often with unclear error messages.

Refer to the official documentation for both Google Cloud and your Identity Provider for detailed configuration and troubleshooting guidance.

2.0 Register a Client Application with Ping Identity

Perform the following steps to register a client application in Ping Identity:

1. Set up an OIDC web application in Ping Identity:

   1. Navigate to the Applications section in the Ping Identity console.

   2. Click the '+' icon next to the Applications title to add a new application.

   3. Enter the required values for Application Name, Description, and Icon.

   4. Select OIDC Web App as the Application Type.

   5. Save the application.

   For more information, refer to Adding an Application.

2. Edit the Configuration section of the newly created OIDC application:

   1. Response Type: Token

   2. Grant Type: Client Credentials (The Implicit grant type may remain enabled due to Ping UI defaults but is not used in this integration).

   3. Token Endpoint Authentication Method: Client Secret Basic

   

   For more information, refer to Editing an application - OIDC.

3. Edit the Resources section of the application and add the custom resource ping_one_gcp_federation that was created earlier. This resource is requested during token issuance and is used in the scope when Fortanix Key Insight requests an access token from Ping Identity.

   For more information on creating a custom resource, refer to Adding a custom resource.

   

3.0 Obtain the Client ID and Client Secret

The Client ID uniquely identifies the registered application, and the Client Secret is used to authenticate the client during token requests.

To retrieve these values:

1. Navigate to the application’s Overview section in Ping Identity.

2. Copy the Client ID.

3. Copy the Client Secret.

NOTE

Ensure both values are stored securely. They are required when configuring the GCP connection in the Fortanix Key Insight UI.

4.0 Obtain the OpenID Configuration Document (well-known) URL

An OpenID Connect provider exposes a standard discovery endpoint that contains metadata required for token validation.

To retrieve the well-known URL:

1. Navigate to the application’s Overview section in Ping Identity.

2. Copy the OIDC Discovery Endpoint value.

NOTE

Ensure to record the well-known URL. This value is required when configuring the identity provider during GCP cloud connection onboarding in the Fortanix Key Insight UI.

5.0 Verify the Application Configuration

After completing the Ping Identity configuration, validate the setup directly from the application.

1. On the Configuration tab, click Get Access Token to generate a token.

   

2. After the token is generated, copy the Access Token and paste it into https://jwt.io to decode its claims.

   Review the decoded token to confirm that the configuration is correct before proceeding.

3. Copy the following values: These values are required later when configuring Google Cloud.

   • iss(Issuer) – Verify that the audience aligns with the configured audience in Google Cloud.

   • aud(Audience) – Verify that the audience aligns with the configured audience in Google Cloud.

6.0 Set Up Workload Identity Federation in Google Cloud Platform

Perform the following steps to configure Workload Identity Federation in the GCP platform:

6.1 Create a Google Cloud Service Account

Perform the following steps to create a Google Cloud Service Account:

1. Sign in to the Google Cloud Console.

2. Navigate to IAM & Admin → Service Accounts.

3. Click Create Service Account.

4. Enter a name and description.

5. Click Create and Continue.

6. In the Permissions (Optional) section, click Continue.

7. Click Done.

Example: scannerserviceaccount@my-project.iam.gserviceaccount.com

6.2 Create a Workload Identity Pool

Perform the following steps to create a Workload Identity Pool:

1. Navigate to IAM & Admin → Workload Identity Federation.

2. Click Create Pool.

3. Enter a pool name. For example, pingoneca.

4. Save the pool.

6.3 Create an OIDC Provider in the Workload Identity Pool

After creating the pool, perform the following steps to create a new OIDC Provider within the pool:

1. Select the pool created in Section 6.2 Create a Workload Identity Pool.

2. On the provider configuration page, configure the following using values from the Ping Identity-issued JWT obtained in Step 3 of Section 5.0: Verify the Application Configuration.

   • Issuer (URL): Enter the iss value.

   • Allowed audiences: Enter the aud value.

3. Ensure the Enabled provider toggle is enabled.

4. In the Attribute mapping section, verify that Google 1 (google.subject) is mapped to OIDC 1 (assertion.client_id).

5. Click Save to complete the configuration.

NOTE

In the Audiences section, select the Default audience option and copy the displayed value. This value is required later when configuring the GCP connection in Fortanix Key Insight.

Example: https://iam.googleapis.com/projects/787320417052/locations/global/workloadIdentityPools/pingoneca/providers/pingoneca

7.0 Grant IAM Permissions in Google Cloud

Perform the following steps to grant access to the required resources:

1. Sign in to the Google Cloud Console and navigate to IAM.

2. Select the required project.

3. Click Grant access.

4. In the New principals field, enter the principal value.

   Construct this value using the Default audience obtained in Step 3 of Section 6.0: Set Up Federated Identity on Google Cloud Platform, with the following modifications:

   • Replace https with principalSet.

   • After the workloadIdentityPools name, replace everything that follows with /*

   Example:

   Default audience:
   https://iam.googleapis.com/projects/787320417052/locations/global/workloadIdentityPools/pingoneca/providers/pingoneca

   Principal value:
   principalSet://iam.googleapis.com/projects/787320417052/locations/global/workloadIdentityPools/pingoneca/*

5. In the Select a role drop down list, select Workload Identity User role.

6. Click Save to assign the required permissions.

8.0 Onboard GCP Connection In Fortanix Key Insight

After completing the Ping Identity configuration, provide the following details in Fortanix Key Insight when onboarding the GCP connection using the Client credentials flow:

• Client ID

• Client Secret

• Well-known URL

• Scopes

For more information on configuring an IdP configuration using the Client credentials flow during GCP connections onboarding, refer to Getting Started with Cloud Connection.