Configure SAML providers for GKE Identity Service

This document is for platform administrators, or whoever manages identity setup in your organization. It explains how to configure your chosen Security Assertion Markup Language (SAML) identity provider for GKE Identity Service.

Register GKE Identity Service with your provider

To register GKE Identity Service for the identity provider, you need the following information:

  • EntityID - This is a unique identifier that represents the GKE Identity Service for the provider. This is derived from the URL of the API server. For example, if the APISERVER-URL is https://cluster.company.com, then the EntityID should be https://cluster.company.com:11001. Note that the URL has no trailing slashes.
  • AssertionConsumerServiceURL - This is the callback URL on GKE Identity Service. The response is forwarded to this URL after the provider authenticates the user. For example, if the APISERVER-URL is https://cluster.company.com, then the AssertionConsumerServiceURL should be https://cluster.company.com:11001/saml-callback.

Provider setup information

This section provides additional provider-specific information for registering GKE Identity Service. If your provider is listed here, register GKE Identity Service with your provider as a client application using the following instructions.

Azure AD

  1. If you haven't done so already, Set up a tenant on Azure Active Directory.
  2. Register an application with the Microsoft identity platform.
  3. Open the App registrations page on the Azure Portal and select your application by name.
  4. Under Manage, select Authentication settings.
  5. Under Platform Configurations, select Enterprise Applications.
  6. In the Set up Single Sign-On with SAML, edit the Basic SAML Configuration.
  7. Under Identifier (Entity ID) section, select Add Identifier.
  8. Enter the EntityID and Reply URL that you derived from Registering GKE Identity Service with your provider
  9. Click Save to save these settings.
  10. Review the Attributes & Claims section to add any new attributes.
  11. Under SAML Certificates, click Certificate (Base64) to download the identity provider certificate.
  12. Under Set up app section, copy the Login URL and Azure AD identifier.

Set SAML assertion lifespan

For enhanced security, configure your SAML provider to issue assertions with a short lifespan, such as 10 minutes. This setting is configurable within your SAML provider's settings.

Setting the lifespan to less than 5 minutes might cause login issues if the clocks between GKE Identity Service and your SAML provider aren't synchronized.

Share provider details

At the time of registering the provider, you must share the following information with your cluster administrator. These details are obtained from the provider metadata and required at the time of configuring GKE Identity Service with SAML.

  • idpEntityID - This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also called Azure AD identifier.
  • idpSingleSignOnURL - This is the endpoint to which the user is redirected for sign up. This is also called the Login URL.
  • idpCertificateDataList- This is the public certificate used by the identity provider for SAML assertion verification.

What's next

Your cluster administrator can set up GKE Identity Service for individual clusters or a fleet.