Set up an identity provider

An important first step in setting up Trusted Cloud by S3NS is setting up an identity provider (IdP), so that members of your organization can sign in to Trusted Cloud, and be authorized to use services and resources with IAM. In Trusted Cloud, you bring your own identity provider using Workforce Identity Federation, which lets you continue to use existing user IDs and groups if required. You can use Workforce Identity Federation with any IdP that supports OpenID Connect (OIDC) or SAML 2.0, including Microsoft Entra ID, Active Directory Federation Services (AD FS), and Okta.

This page is for administrators who need to set up an identity provider for a new organization in Trusted Cloud, including configuring an organization administrator role.

If your organization already has its identity provider set up (with you as organization administrator) and you just need to set up new projects, networks, and other resources for users, you can skip this guide and go straight to Set up your organization. For other users who need to get started, including developers and other technical practitioners, see Get started with Trusted Cloud.

Before you read this guide, you should:

• Understand the basic Trusted Cloud concepts described in the Trusted Cloud overview, including Trusted Cloud organizations and projects.

• Understand the overall organization setup flow in Get started with Trusted Cloud.

Before you begin

Before you configure a new Trusted Cloud by S3NS organization for the first time, you're provided with a temporary ID from a special Trusted Cloud IdP, known as your bootstrap ID, along with instructions for signing in. You need this ID to complete the setup steps in this guide.

Procedure overview

The following primary steps are involved in setting up your IdP:

1. Sign in with your bootstrap ID to get initial administrator access to Trusted Cloud by S3NS and the Trusted Cloud console. You'll do all the setup steps in this guide by using the Trusted Cloud console.
2. Grant your bootstrap ID permissions so that you can configure Workforce Identity Federation.
3. Configure Workforce Identity Federation to get identity information from your chosen IdP(s).
4. Create a new Organization Administrator with an ID from your IdP (your own or a group to which you belong), so that you can sign in and manage Trusted Cloud by S3NS without using your bootstrap ID.
5. Sign out and sign back in again with your newly configured administrator ID.

Sign in with your bootstrap ID

Sign in to Trusted Cloud with your bootstrap ID:

• Follow the instructions provided with your bootstrap ID to sign in to Trusted Cloud. You should now have access to the Trusted Cloud console to complete the remaining steps in this guide.

Grant permissions to your bootstrap ID

Your bootstrap ID by default is the administrator of your organization, but has no other permissions. To grant the necessary permissions to this ID to configure Workforce Identity Federation, do the following:

1. In the Trusted Cloud console, navigate to the IAM & Admin page:

   Go to IAM & admin

   The IAM & Admin page displays all the permissions for your organization, and the identities (principals) to which they have been granted. You should see only a single principal (your bootstrap ID) with the Organization Administrator role.
2. Click Edit principal edit next to your ID.
3. In the Edit permissions pane, select Add another role.
4. In the Select a role drop-down, search for and select IAM Workforce Pool Admin.
5. Click Save.

You might need to wait a few minutes before the role is assigned to your ID.

Configure Workforce Identity Federation

Now that your bootstrap ID is authorized to configure Workforce Identity Federation, you can add an identity provider (or providers) to your organization. To do this you first need to create a workforce identity pool that can be used across your organization, and then configure the pool to use your provider(s). You can learn more about how Workforce Identity Federation works in the Workforce Identity Federation documentation.

1. In the Trusted Cloud console, navigate to IAM > Workforce Identity Federation:

   Go to Workforce Identity Federation

   You should be prompted to create a new workforce identity pool.
2. Follow the Console instructions in Configure Workforce Identity Federation to add your workforce identity pool and IdP. Depending on your chosen IdP, you might want to look at our provider-specific guides for common IdPs, for example Microsoft Entra ID and Okta.

You must set the optional google.posix_username attribute mapping while setting up your provider, as in the following example. This is because this attribute mapping is required for SSH to work.

google.subject = assertion.subject
google.posix_username = assertion.attributes['username']
google.groups = assertion.attributes['groups']

Set an Organization Administrator

Next you need to specify a new Organization Administrator using an ID from your configured IdP (for example, your existing user ID). You should also grant this ID permission to manage Workforce Identity Federation. After you have done this, you no longer need to use the bootstrap ID to sign into and manage Trusted Cloud.

To set a new Organization Administrator:

1. In the Trusted Cloud console, navigate back to the main IAM & Admin page:

   Go to IAM & admin

2. Click person_add Grant access to add a new principal.

3. In the New principal field, specify your user ID in the following format:

   principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/USERNAME
   

   Replace the following:

   • POOL_ID: the unique identifier for your workload identity pool.
   • USERNAME: your user ID.

   Alternatively, if you want to specify a group instead of a single user, use the following format:

   principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_EMAIL
   

4. In the Role drop-down, search for and select Organization Administrator.

5. Click Add another role.

6. In the Role drop-down, search for and select IAM Workforce Pool Admin.

7. Click Save.

You can learn more about the different types of entities and groups in your IdP that can be represented as IAM principals in Principal identifiers.

Sign in with your administrator ID

Finally, sign out of Trusted Cloud, then sign back in using your newly-configured administrator ID from your IdP.

What's next

1. Set up the Google Cloud CLI with your administrator ID: you'll use it to verify the other setup steps in Set up your organization, as well as performing many other common tasks from the command line. For instructions, see Set up the Google Cloud CLI for Trusted Cloud.

2. Continue to Set up your organization.