Stay organized with collections
Save and categorize content based on your preferences.
Configure SAML providers for GKE Identity Service
This document is for platform administrators, or whoever manages identity setup in your organization. It explains how to configure your chosen Security Assertion Markup Language (SAML) identity provider for GKE Identity Service.
Register GKE Identity Service with your provider
To register GKE Identity Service for the identity provider, you need the following information:
EntityID - This is a unique identifier that represents the GKE Identity Service for the provider. This is derived from the URL of the API server. For example, if the APISERVER-URL is https://cluster.company.com, then the EntityID should be https://cluster.company.com:11001. Note that the URL has no trailing slashes.
AssertionConsumerServiceURL - This is the callback URL on GKE Identity Service. The response is forwarded to this URL after the provider authenticates the user. For example, if the APISERVER-URL is https://cluster.company.com, then the AssertionConsumerServiceURL should be https://cluster.company.com:11001/saml-callback.
Provider setup information
This section provides additional provider-specific information for registering GKE Identity Service.
If your provider is listed here, register GKE Identity Service with your provider as a client application using the following instructions.
Azure AD
If you haven't done so already, Set up a tenant on Azure Active Directory.
Review the Attributes & Claims section to add any new attributes.
Under SAML Certificates, click Certificate (Base64) to download the identity provider certificate.
Under Set up app section, copy the Login URL and Azure AD identifier.
Set SAML assertion lifespan
For enhanced security, configure your SAML provider to issue assertions with a
short lifespan, such as 10 minutes. This setting is configurable within your
SAML provider's settings.
Setting the lifespan to less than 5 minutes might cause login issues if the
clocks between GKE Identity Service and your SAML provider aren't
synchronized.
Share provider details
At the time of registering the provider, you must share the following information with your cluster administrator. These details are obtained from the provider metadata and required at the time of configuring GKE Identity Service with SAML.
idpEntityID - This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also called Azure AD identifier.
idpSingleSignOnURL - This is the endpoint to which the user is redirected for sign up. This is also called the Login URL.
idpCertificateDataList- This is the public certificate used by the identity provider for SAML assertion verification.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Configure SAML providers for GKE Identity Service\n=================================================\n\nThis document is for **platform administrators** , or whoever manages identity setup in your organization. It explains how to configure your chosen [Security Assertion Markup Language (SAML)](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) identity provider for GKE Identity Service.\n\nRegister GKE Identity Service with your provider\n------------------------------------------------\n\nTo register GKE Identity Service for the identity provider, you need the following information:\n\n- `EntityID` - This is a unique identifier that represents the GKE Identity Service for the provider. This is derived from the URL of the API server. For example, if the \u003cvar translate=\"no\"\u003eAPISERVER-URL\u003c/var\u003e is `https://cluster.company.com`, then the `EntityID` should be `https://cluster.company.com:11001`. Note that the URL has no trailing slashes.\n- `AssertionConsumerServiceURL` - This is the callback URL on GKE Identity Service. The response is forwarded to this URL after the provider authenticates the user. For example, if the \u003cvar translate=\"no\"\u003eAPISERVER-URL\u003c/var\u003e is `https://cluster.company.com`, then the `AssertionConsumerServiceURL` should be `https://cluster.company.com:11001/saml-callback`.\n\nProvider setup information\n--------------------------\n\nThis section provides additional provider-specific information for registering GKE Identity Service.\nIf your provider is listed here, register GKE Identity Service with your provider as a client application using the following instructions. \n\n### Azure AD\n\n1. If you haven't done so already, [Set up a tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) on Azure Active Directory.\n2. [Register an application with the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).\n3. Open the [App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) page on the Azure Portal and select your application by name.\n4. Under **Manage** , select **Authentication** settings.\n5. Under **Platform Configurations** , select **Enterprise Applications**.\n6. In the **Set up Single Sign-On with SAML** , edit the **Basic SAML Configuration**.\n7. Under **Identifier (Entity ID)** section, select **Add Identifier**.\n8. Enter the *EntityID* and *Reply URL* that you derived from [Registering GKE Identity Service with your provider](#registersamlprovider)\n9. Click **Save** to save these settings.\n10. Review the **Attributes \\& Claims** section to add any new attributes.\n11. Under **SAML Certificates** , click **Certificate (Base64)** to download the identity provider certificate.\n12. Under **Set up app** section, copy the *Login URL* and *Azure AD identifier*.\n\n### Set SAML assertion lifespan\n\nFor enhanced security, configure your SAML provider to issue assertions with a\nshort lifespan, such as 10 minutes. This setting is configurable within your\nSAML provider's settings.\n\nSetting the lifespan to less than 5 minutes might cause login issues if the\nclocks between GKE Identity Service and your SAML provider aren't\nsynchronized.\n\nShare provider details\n----------------------\n\nAt the time of registering the provider, you must share the following information with your cluster administrator. These details are obtained from the provider metadata and required at the time of configuring GKE Identity Service with SAML.\n\n- `idpEntityID` - This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also called *Azure AD identifier*.\n- `idpSingleSignOnURL` - This is the endpoint to which the user is redirected for sign up. This is also called the *Login URL*.\n- `idpCertificateDataList`- This is the public certificate used by the identity provider for SAML assertion verification.\n\nWhat's next\n-----------\n\nYour cluster administrator can set up GKE Identity Service for [individual clusters](/kubernetes-engine/enterprise/identity/setup/saml-per-cluster) or a [fleet](/kubernetes-engine/enterprise/identity/setup/fleet)."]]
