---
title: "GCP Configuration Using Ping Identity as an OpenID Connect Identity Provider"
slug: "fortanix-key-insight-gcp-configuration-using-ping-identity-as-an-openid-connect-idp"
updated: 2026-03-23T06:33:44Z
published: 2026-03-23T06:38:28Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# GCP Configuration Using Ping Identity as an OpenID Connect Identity Provider

## 1.0 Introduction

This article outlines the necessary steps required to configure a connection between **Fortanix Key Insight**, Google Cloud Platform (**GCP**), and **Ping Identity** as an OpenID Connect (OIDC) Identity Provider (IdP) using the **Client credentials flow**.

**Federated authentication** in GCP enables workloads to access Google Cloud resources using credentials issued by an external Identity Provider, such as Ping Identity. This setup allows organizations to use a centralized Identity Provider without distributing Google service account keys to external systems.

Configuring Ping Identity as an OIDC IdP with GCP involves the following steps:

- Register a client application in Ping Identity.
- Obtain the client ID and client secret.
- Obtain the OpenID configuration document (well-known) URL.
- Verify the client application configuration.
- Configure a Workload Identity Pool and Provider in GCP.
- Grant the required IAM permissions to the Google service account.
- Onboard the GCP connection in the Fortanix Key Insight user interface (UI).

> [!WARNING]
> WARNING
> 
> When configuring Google Cloud with an external identity provider (such as Ping Identity),****even minor mismatches in settings (such as issuer URL, audience, claims mapping, or similar settings) can cause authentication failures, often with unclear error messages.
> 
> *Refer to the official documentation for both Google Cloud and your Identity Provider for detailed configuration and troubleshooting guidance.*

## 2.0 Register a Client Application with Ping Identity

Perform the following steps to register a client application in Ping Identity:

1. Set up an OIDC web application in Ping Identity:

*For more information, refer to the*[*Ping Identity official documentation*](https://docs.pingidentity.com/pingone/applications/p1_applications_add_applications.html)*.*
  1. Navigate to the **Applications** section in the **Ping Identity** console.
  2. Click the '**+**' icon next to the **Applications** title to add a new application.
  3. Configure the application with the following:
    1. **Application Name**: Enter the application name.
    2. **Description**: Enter your app description.
    3. **Icon**: Add your app icon.
    4. **Application Type:**Select **OIDC Web App**.
    5. Click **Save** to add a new application.
2. Edit the **Configuration** section of the newly created OIDC application:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-245b60ao.png)

**Figure 1: Application configuration**

*For more information, refer to the*[*Ping Identity official documentation*](https://docs.pingidentity.com/pingone/applications/p1_edit_application_oidc.html)*.*
  1. **Response Type: Token**
  2. **Grant Type**: **Client Credentials** (The **Implicit** grant type may remain enabled due to Ping UI defaults, but is not used in this integration).
  3. **Token Endpoint Authentication Method: Client Secret Basic**
3. Edit the **Resources** section of the application and add the custom resource **ping_one_gcp_federation** that was created earlier. This resource is requested during token issuance and is used in the **scope** when Fortanix Key Insight requests an access token from Ping Identity.

*For more information on creating a custom resource, refer to the*[*Ping Identity official documentation*](https://docs.pingidentity.com/pingone/applications/p1_adding_custom_resource.html)*.*

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-su1gbhn2.png)

**Figure 2: Configure resource section**

## 3.0 Obtain the Client ID and Client Secret

The Client ID uniquely identifies the registered application, and the Client Secret is used to authenticate the client during token requests.

To retrieve these values:

1. Navigate to the application’s**Overview** section in Ping Identity.
2. Copy the **Client ID**.
3. Copy the **Client Secret**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-usphamqf.png)

**Figure 3: Obtain Client ID and Secret**

> [!NOTE]
> NOTE
> 
> Ensure both values are stored securely. They are required when configuring the GCP connection in the Fortanix Key Insight UI.

## 4.0 Obtain the OpenID Configuration Document (well-known) URL

An OpenID Connect provider exposes a standard discovery endpoint that contains metadata required for token validation.

To retrieve the well-known URL:

1. Navigate to the application’s**Overview** section in Ping Identity.
2. Copy the **OIDC Discovery Endpoint** value.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-1scit5om.png)

**Figure 4: Access Well-known URL**

> [!NOTE]
> NOTE
> 
> Ensure to record the well-known URL. This value is required when configuring the identity provider during GCP cloud connection onboarding in the Fortanix Key Insight UI.

## 5.0 Verify the Application Configuration

After completing the Ping Identity configuration, validate the setup directly from the application.

1. On the **Configuration** tab, click **Get Access Token** to generate a token.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-8usa5tpq.png)

**Figure 5: Obtain the Access Token**
2. After the token is generated, copy the **Access Token** and paste it into [JWT Debugger](https://jwt.io) to decode its claims.

Review the decoded token to confirm that the configuration is correct before proceeding.
3. Copy the following values: These values are required later when configuring Google Cloud.
  - `iss`(Issuer) – Verify that the audience aligns with the configured audience in Google Cloud.
  - `aud`(Audience) – Verify that the audience aligns with the configured audience in Google Cloud.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-pld8mmqj.png)

**Figure 6: Decode the Access Token**

## 6.0 Set Up Workload Identity Federation in Google Cloud Platform

Perform the following steps to configure Workload Identity Federation in the GCP platform:

### 6.1 Create a Google Cloud Service Account

Perform the following steps to create a **Google Cloud Service Account**:

1. Sign in to the **Google Cloud Console**.
2. Navigate to **IAM & Admin → Service Accounts**.
3. Click **Create Service Account**.
4. Enter a name and description.
5. Click **Create and Continue**.
6. In the **Permissions (Optional)** section, click **Continue**.
7. Click **Done**.

**Example**: `scannerserviceaccount@my-project.iam.gserviceaccount.com`

### 6.2 Create a Workload Identity Pool

Perform the following steps to create a Workload Identity Pool:

1. Navigate to **IAM & Admin → Workload Identity Federation**.
2. Click **Create Pool**.
3. Enter a pool name. For example, **pingoneca**.
4. Save the pool.

### 6.3 Create an OIDC Provider in the Workload Identity Pool

After creating the pool, perform the following steps to create a new OIDC Provider within the pool:

1. Select the pool created in [*Section 6.2: Create a Workload Identity Pool*](/v1/docs/fortanix-key-insight-gcp-configuration-using-ping-identity-as-an-openid-connect-idp#62-create-a-workload-identity-pool).
2. On the provider configuration page, configure the following using values from the Ping Identity-issued JWT obtained in *Step 3* of [*Section 5.0: Verify the Application Configuration*](/v1/docs/fortanix-key-insight-gcp-configuration-using-ping-identity-as-an-openid-connect-idp#50-verify-the-application-configuration).
  - **Issuer (URL):**Enter the `iss` value**.**
  - **Allowed audiences:**Enter the `aud` value**.**
3. Ensure the **Enabled provider** toggle is enabled.
4. In the **Attribute mapping** section, verify that **Google 1 (google.subject)** is mapped to **OIDC 1 (assertion.client_id).**
5. Click **Save** to complete the configuration.

> [!NOTE]
> NOTE
> 
> In the **Audiences** section, select the **Default audience** option and copy the displayed value. This value is required later when configuring the GCP connection in Fortanix Key Insight.
> 
> **Example:** `https://iam.googleapis.com/projects/787320417052/locations/global/workloadIdentityPools/pingoneca/providers/pingoneca`

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-ur9uvm0g.png)

**Figure 7: Configure OIDC provider in GCP**

## 7.0 Grant IAM Permissions in Google Cloud

Perform the following steps to grant access to the required resources:

1. Sign in to the **Google Cloud Console** and navigate to **IAM**.
2. Select the required project.
3. Click **Grant access**.
4. **New principals:** Enter the principal value.

Construct this value using the **Default audience** obtained in *Step 3 of*[*Section 6.0: Set Up Federated Identity on Google Cloud Platform*](/v1/docs/fortanix-key-insight-gcp-configuration-using-ping-identity-as-an-openid-connect-idp#60-set-up-workload-identity-federation-in-google-cloud-platform), with the following modifications:

**Example:**

**Default audience:** `https://iam.googleapis.com/projects/787320417052/locations/global/workloadIdentityPools/pingoneca/providers/pingoneca`

**Principal value:**`principalSet://iam.googleapis.com/projects/787320417052/locations/global/workloadIdentityPools/pingoneca/*`
  - Replace `https` with `principalSet`.
  - After the `workloadIdentityPools` name, replace everything that follows with `/*`
5. **Select a role:** Select **Workload Identity User** role.
6. Click **Save** to assign the required permissions.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight---gcp-configuration-using-ping-identity-as-an-openid-connect-idp-image-fcun29pw.png)

**Figure 8: Assign IAM Role**

## 8.0 Onboard GCP Connection In Fortanix Key Insight

After completing the Ping Identity configuration, provide the following details in Fortanix Key Insight when onboarding the GCP connection using the **Client credentials flow**:

- Client ID
- Client Secret
- Well-known URL

*For more information on configuring an IdP configuration using the Client credentials flow during GCP connections onboarding, refer to*[*Getting Started with Cloud Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-cloud-connection#742-federated-authentication-client-credentials-flow)*.*

Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.