Google Cloud Platform SAML Integration Guide
Suggest an editPrerequisites
- Administrator access to the Google Cloud Console
- A SplitSecure Identity Provider created and approved
- A Google Cloud organization set up
- The IAM Workforce Pool Admin role (
roles/iam.workforcePoolAdmin) or Owner role on the organization - IAM and Resource Manager APIs enabled
- A separate browser or browser profile with SplitSecure configured (for testing)
GCP Configuration
1 Create a Workforce Identity Pool
- Go to Workforce Identity Pools page
- Select your organization
- Click Create Pool
- Configure the pool settings:
| Field | Value | Notes |
|---|---|---|
| Name | e.g., “SplitSecure Pool” | Display name for the pool |
| Pool ID | (Auto-generated from name) | Take note of this value |
| Description | (Optional) | e.g., “Workforce pool for SplitSecure SSO” |
Important
The pool ID cannot be changed after creation and must be unique within your organization. The prefix gcp- is reserved and cannot be used.
- Click Next
2 Add a SAML Identity Provider
- In the Providers section, click Add Provider
- For Select a Provider vendor, choose Generic Identity Provider
- For Select an authentication protocol, choose SAML
- Click Continue
| Field | Value | Notes |
|---|---|---|
| Name | e.g., “SplitSecure Provider” | Display name for the provider |
| Provider ID | (Auto-generated) | Take note of this value |
| Description | (Optional) | e.g., “SplitSecure SAML provider” |
| IDP metadata file (XML) | Upload the metadata file from SplitSecure | Download at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Metadata |
| Enable provider | On |
- Click Continue
- The “Share your provider information with IdP” card should appear, but you can safely continue since the SplitSecure interface will ask you for the Workforce Pool ID and the Workforce Provider ID
- Set the Attribute mapping to map your IdP attributes to GCP attributes
- Optionally add attribute conditions and enable Detailed Logging
- Click Submit
SplitSecure Configuration
1 Configure SplitSecure with GCP SP Details
- In SplitSecure, navigate to Secure Accounts → Create Account → Google Cloud Platform
- Enter a name for your account
- Select the Identity Provider
- Configure the following:
| Field | Value |
|---|---|
| Workforce Pool ID | e.g., splitsecurepool |
| Workforce Provider ID | e.g., split-secure-provider |
You can find these values at Workforce Identity Pools page
- Click Create Account
Grant IAM Access to Federated Users
Before users can access GCP resources, you must grant them IAM roles.
1 Navigate to IAM
- In the Google Cloud Console, go to IAM & Admin → IAM
- Select the project, folder, or organization where you want to grant access
2 Grant Roles to Federated Principals
Click Grant Access and add principals using the following formats:
Grant Access to a Single User
principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/USER_SUBJECTReplace USER_SUBJECT with the user’s subject attribute value (e.g., email).
Grant Access to a Group
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_IDGrant Access to All Users in the Pool
principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/*More at Principal Identifiers
3 Assign Roles
- In the New principals field, enter the principal identifier
- In Select a role, choose the appropriate role (e.g.,
Viewer,Editor,Storage Admin) - Click Save
Test Authentication
Tip
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
1 Access the Federated Console
Users can access the Google Cloud Console (federated) using the following URL format:
https://console.cloud.google/Or use the workforce provider-specific sign-in URL:
https://auth.cloud.google/signin/locations/global/workforcePools/POOL_ID/providers/PROVIDER_ID2 Test Authentication (SP-Initiated)
- Navigate to the federated console URL
- You should be redirected to SplitSecure for authentication
- Enter your email address when prompted
- Click Request Access
- Complete the authentication flow
- Upon success, you’ll be redirected to the Google Cloud Console
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| User cannot access resources | No IAM roles granted | Grant appropriate roles to the federated principal |
| Attribute mapping errors | Incorrect CEL expression | Check attribute mapping syntax; enable detailed audit logging |
| “Subject not found” error | NameID mismatch | Ensure SAML NameID matches the expected subject format |
| Session expires too quickly | Default session duration | Increase session duration in pool settings |
| User not in correct group | Group attribute not mapped | Add google.groups attribute mapping |
| Multi-tenant IdP access issue | Missing attribute condition | Add attribute condition to restrict access to correct tenant |
External Resources
- Workload Identity Federation — SAML-based workload federation setup
- Workforce Identity Federation — User authentication configuration