Stay organized with collectionsSave and categorize content based on your preferences.
Configure SAML providers for GKE Identity Service
This document is forplatform administrators, or whoever manages identity setup in your organization. It explains how to configure your chosenSecurity Assertion Markup Language (SAML)identity provider for GKE Identity Service.
Register GKE Identity Service with your provider
To register GKE Identity Service for the identity provider, you need the following information:
EntityID- This is a unique identifier that represents the GKE Identity Service for the provider. This is derived from the URL of the API server. For example, if theAPISERVER-URLishttps://cluster.company.com, then theEntityIDshould behttps://cluster.company.com:11001. Note that the URL has no trailing slashes.
AssertionConsumerServiceURL- This is the callback URL on GKE Identity Service. The response is forwarded to this URL after the provider authenticates the user. For example, if theAPISERVER-URLishttps://cluster.company.com, then theAssertionConsumerServiceURLshould behttps://cluster.company.com:11001/saml-callback.
Provider setup information
This section provides additional provider-specific information for registering GKE Identity Service.
If your provider is listed here, register GKE Identity Service with your provider as a client application using the following instructions.
Azure AD
If you haven't done so already,Set up a tenanton Azure Active Directory.
Review theAttributes & Claimssection to add any new attributes.
UnderSAML Certificates, clickCertificate (Base64)to download the identity provider certificate.
UnderSet up appsection, copy theLogin URLandAzure AD identifier.
Set SAML assertion lifespan
For enhanced security, configure your SAML provider to issue assertions with a
short lifespan, such as 10 minutes. This setting is configurable within your
SAML provider's settings.
Setting the lifespan to less than 5 minutes might cause login issues if the
clocks between GKE Identity Service and your SAML provider aren't
synchronized.
Share provider details
At the time of registering the provider, you must share the following information with your cluster administrator. These details are obtained from the provider metadata and required at the time of configuring GKE Identity Service with SAML.
idpEntityID- This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also calledAzure AD identifier.
idpSingleSignOnURL- This is the endpoint to which the user is redirected for sign up. This is also called theLogin URL.
idpCertificateDataList- This is the public certificate used by the identity provider for SAML assertion verification.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Configure SAML providers for GKE Identity Service\n=================================================\n\nThis document is for **platform administrators** , or whoever manages identity setup in your organization. It explains how to configure your chosen [Security Assertion Markup Language (SAML)](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) identity provider for GKE Identity Service.\n\nRegister GKE Identity Service with your provider\n------------------------------------------------\n\nTo register GKE Identity Service for the identity provider, you need the following information:\n\n- `EntityID` - This is a unique identifier that represents the GKE Identity Service for the provider. This is derived from the URL of the API server. For example, if the \u003cvar translate=\"no\"\u003eAPISERVER-URL\u003c/var\u003e is `https://cluster.company.com`, then the `EntityID` should be `https://cluster.company.com:11001`. Note that the URL has no trailing slashes.\n- `AssertionConsumerServiceURL` - This is the callback URL on GKE Identity Service. The response is forwarded to this URL after the provider authenticates the user. For example, if the \u003cvar translate=\"no\"\u003eAPISERVER-URL\u003c/var\u003e is `https://cluster.company.com`, then the `AssertionConsumerServiceURL` should be `https://cluster.company.com:11001/saml-callback`.\n\nProvider setup information\n--------------------------\n\nThis section provides additional provider-specific information for registering GKE Identity Service.\nIf your provider is listed here, register GKE Identity Service with your provider as a client application using the following instructions. \n\n### Azure AD\n\n1. If you haven't done so already, [Set up a tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) on Azure Active Directory.\n2. [Register an application with the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).\n3. Open the [App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) page on the Azure Portal and select your application by name.\n4. Under **Manage** , select **Authentication** settings.\n5. Under **Platform Configurations** , select **Enterprise Applications**.\n6. In the **Set up Single Sign-On with SAML** , edit the **Basic SAML Configuration**.\n7. Under **Identifier (Entity ID)** section, select **Add Identifier**.\n8. Enter the *EntityID* and *Reply URL* that you derived from [Registering GKE Identity Service with your provider](#registersamlprovider)\n9. Click **Save** to save these settings.\n10. Review the **Attributes \\& Claims** section to add any new attributes.\n11. Under **SAML Certificates** , click **Certificate (Base64)** to download the identity provider certificate.\n12. Under **Set up app** section, copy the *Login URL* and *Azure AD identifier*.\n\n### Set SAML assertion lifespan\n\nFor enhanced security, configure your SAML provider to issue assertions with a\nshort lifespan, such as 10 minutes. This setting is configurable within your\nSAML provider's settings.\n\nSetting the lifespan to less than 5 minutes might cause login issues if the\nclocks between GKE Identity Service and your SAML provider aren't\nsynchronized.\n\nShare provider details\n----------------------\n\nAt the time of registering the provider, you must share the following information with your cluster administrator. These details are obtained from the provider metadata and required at the time of configuring GKE Identity Service with SAML.\n\n- `idpEntityID` - This the unique identifier for the identity provider. It corresponds to the URL of the provider and is also called *Azure AD identifier*.\n- `idpSingleSignOnURL` - This is the endpoint to which the user is redirected for sign up. This is also called the *Login URL*.\n- `idpCertificateDataList`- This is the public certificate used by the identity provider for SAML assertion verification.\n\nWhat's next\n-----------\n\nYour cluster administrator can set up GKE Identity Service for [individual clusters](/kubernetes-engine/enterprise/identity/setup/saml-per-cluster) or a [fleet](/kubernetes-engine/enterprise/identity/setup/fleet)."]]
