Stay organized with collectionsSave and categorize content based on your preferences.
Configure the identity provider of your choice
This document is for platform administrators who are responsible for setting up
and managing identity within your organization. If you're a cluster administrator or application
operator, ask your platform administrator to complete the setup described
here before you configure individual clusters or use the fleet setup.
Before you begin
If you want cluster administrators to provide authentication access using the
fully qualified domain name (FQDN) of the cluster's Kubernetes API server
(recommended), do the following. Otherwise, you can skip ahead toconfiguring your identity provider. You can learn more about user
authentication methods inSet up an authentication method for user access.
Configure your domain name service (DNS) to resolve your chosen fully qualified domain name to the cluster's control plane VIPs (virtual IP addresses). Users can access the cluster using this domain name.
Use a Server Name Indication (SNI) certificate issued by your trusted enterprise Certificate Authority (CA). This certificate specifically mentions your FQDN as a valid domain, eliminating potential certificate warnings for users. You can provide the SNI certificate during cluster creation. For more information on specifying SNI certificates, seeSNI certificate authentication.
If SNI certificates are not feasible, cluster administrators need to configure
all user devices to trust the cluster-CA certificate. This avoids certificate
warnings but requires distributing the cluster-CA certificate to all users.
The configuration of GKE Identity Service depends on the identity
provider you choose to use. To get started, choose the appropriate provider you want to configure:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Configure the identity provider of your choice\n==============================================\n\nThis document is for platform administrators who are responsible for setting up\nand managing identity within your organization. If you're a cluster administrator or application\noperator, ask your platform administrator to complete the setup described\nhere before you configure individual clusters or use the fleet setup.\n\nBefore you begin\n----------------\n\nIf you want cluster administrators to provide authentication access using the\nfully qualified domain name (FQDN) of the cluster's Kubernetes API server\n(recommended), do the following. Otherwise, you can skip ahead to\n[configuring your identity provider](#configidp). You can learn more about user\nauthentication methods in [Set up an authentication method for user access](/kubernetes-engine/enterprise/identity/setup/user-access).\n\n- Configure your domain name service (DNS) to resolve your chosen fully qualified domain name to the cluster's control plane VIPs (virtual IP addresses). Users can access the cluster using this domain name.\n- Use a Server Name Indication (SNI) certificate issued by your trusted enterprise Certificate Authority (CA). This certificate specifically mentions your FQDN as a valid domain, eliminating potential certificate warnings for users. You can provide the SNI certificate during cluster creation. For more information on specifying SNI certificates, see [SNI certificate authentication](/anthos/clusters/docs/on-prem/latest/how-to/user-cluster-configuration-file#authentication-sni-section).\n- If SNI certificates are not feasible, cluster administrators need to configure all user devices to trust the cluster-CA certificate. This avoids certificate warnings but requires distributing the cluster-CA certificate to all users.\n\nFor more information on user login access using these certificates, see [Authenticate using FQDN access](/kubernetes-engine/enterprise/identity/setup/user-access#alternativeuserloginaccess).\n\nConfigure the identity provider\n-------------------------------\n\nThe configuration of GKE Identity Service depends on the identity\nprovider you choose to use. To get started, choose the appropriate provider you want to configure:\n\n- [Configure OIDC providers](/kubernetes-engine/enterprise/identity/setup/provider)\n- [Configure SAML providers](/kubernetes-engine/enterprise/identity/setup/saml-provider)\n- [Configure LDAP providers](/kubernetes-engine/enterprise/identity/setup/provider-ldap)"]]
