Workforce Identity Provider

WorkforceIdentityProvider

Defines the high-level intent for integrating external workforce identity systems.

Establishes a federated trust boundary natively connecting external Identity Providers (e.g., Google Workspace, Microsoft Entra ID) to the platform using SAML or OIDC protocols. Facilitates seamless Single Sign-On (SSO) experiences while strictly enforcing mapped attribute-based access controls across organizational environments.

Property	Type	Description
apiVersion	string
kind	string
metadata	map
spec	Spec

Spec

Contains the user-defined configuration for the workforce identity provider (SAML or OIDC). Encapsulates configuration parameters for protocol-specific bindings, attribute mapping permutations, and conditional access assertion policies.

Property	Type	Description
description	string	This description is optional but will drastically improve the understand of the AI assistant about the structural elements of the organization
disabled	bool	If true, this workforce identity provider configuration will be disabled.
attributeMapping	list of AttributeMappingEntry	A map of attributes from the identity provider to Google Cloud attributes.
attributeCondition	string	A CEL expression that must evaluate to true for an identity to be authenticated.
expireTime	string	The time at which the workforce pool provider will expire, in RFC3339 format.
saml	Saml	Configuration for a SAML-based workforce identity provider.
oidc	Oidc	Configuration for an OIDC-based workforce identity provider.

AttributeMappingEntry

Property	Type	Description
key	string
value	string

Oidc

Property	Type	Description
issuerUri	string	The OIDC issuer URI.
clientId	string	The OIDC client StateID.
webSsoConfig	WebSsoConfig
jwksJson	string	The JSON Web Key Set (JWKS) document for the OIDC provider.

WebSsoConfig

Property	Type	Description
responseType	string
assertionClaimsBehavior	string
additionalScopes	list of string

Saml

Property	Type	Description
idpMetadataXml	string	The SAML IdP metadata XML document.