Google Cloud Platform
Configure GCP Workforce Identity Federation
Prerequisites
- Administrator access to the Google Cloud Console
- A SplitSecure Identity Provider created and approved
- A Google Cloud organization set up
- The IAM Workforce Pool Admin role (
roles/iam.workforcePoolAdmin) or Owner role on the organization - IAM and Resource Manager APIs enabled
- A separate browser or browser profile with SplitSecure configured (for testing)
GCP Configuration
Create a Workforce Identity Pool
Select your organization
Click Create Pool
Configure the pool settings:
Field Value Notes Name e.g., “SplitSecure Pool” Display name for the pool Pool ID (Auto-generated from name) Take note of this value Description (Optional) e.g., “Workforce pool for SplitSecure SSO”
The pool ID cannot be changed after creation and must be unique within your organization. The prefix gcp- is reserved and cannot be used.
Click Next
Add a SAML Identity Provider
- In the Providers section, click Add Provider
- For Select a Provider vendor, choose Generic Identity Provider
- For Select an authentication protocol, choose SAML
- Click Continue
| Field | Value | Notes |
|---|---|---|
| Name | e.g., “SplitSecure Provider” | Display name for the provider |
| Provider ID | (Auto-generated) | Take note of this value |
| Description | (Optional) | e.g., “SplitSecure SAML provider” |
| IDP metadata file (XML) | Upload the metadata file from SplitSecure | Download at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Metadata |
| Enable provider | On |
- Click Continue
- The “Share your provider information with IdP” card should appear, but you can safely continue since the SplitSecure interface will ask you for the Workforce Pool ID and the Workforce Provider ID
- Set the Attribute mapping to map your IdP attributes to GCP attributes
- Optionally add attribute conditions and enable Detailed Logging
- Click Submit
SplitSecure Configuration
Configure SplitSecure with GCP SP Details
In SplitSecure, navigate to Secure Accounts → Create Account → Google Cloud Platform
Enter a name for your account
Select the Identity Provider
Configure the following:
Field Value Workforce Pool ID e.g., splitsecurepool Workforce Provider ID e.g., split-secure-provider
You can find these values at Workforce Identity Pools page
Click Create Account
Grant IAM Access to Federated Users
Before users can access GCP resources, you must grant them IAM roles.
Navigate to IAM
- In the Google Cloud Console, go to IAM & Admin → IAM
- Select the project, folder, or organization where you want to grant access
Grant Roles to Federated Principals
Click Grant Access and add principals using the following formats:
Grant Access to a Single User
principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/USER_SUBJECT Replace USER_SUBJECT with the user’s subject attribute value (e.g., email).
Grant Access to a Group
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID Grant Access to All Users in the Pool
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/* More at Principal Identifiers
Assign Roles
- In the New principals field, enter the principal identifier
- In Select a role, choose the appropriate role (e.g.,
Viewer,Editor,Storage Admin) - Click Save
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
Access the Federated Console
Users can access the Google Cloud Console (federated) using the following URL format:
https://console.cloud.google/ Or use the workforce provider-specific sign-in URL:
https://auth.cloud.google/signin/locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID Test Authentication (SP-Initiated)
- Navigate to the federated console URL
- You should be redirected to SplitSecure for authentication
- Enter your email address when prompted
- Click Request Access
- Complete the authentication flow
- Upon success, you’ll be redirected to the Google Cloud Console
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| User cannot access resources | No IAM roles granted | Grant appropriate roles to the federated principal |
| Attribute mapping errors | Incorrect CEL expression | Check attribute mapping syntax; enable detailed audit logging |
| “Subject not found” error | NameID mismatch | Ensure SAML NameID matches the expected subject format |
| Session expires too quickly | Default session duration | Increase session duration in pool settings |
| User not in correct group | Group attribute not mapped | Add google.groups attribute mapping |
| Multi-tenant IdP access issue | Missing attribute condition | Add attribute condition to restrict access to correct tenant |
External Resources
- Workload Identity Federation SAML-based workload federation setup
- Workforce Identity Federation User authentication configuration
Last updated: