Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Configure CRDP with identity providers

Configure GCP as IdP

search

Please Note:

Configure GCP as IdP

This article provides the steps required to set up Google Cloud Platform (GCP) as Identity Provider (IdP), which would be helpful in creating CRDP application on the CipherTrust Manager with JWT verification enabled.

Requirements

After these requirements are fulfilled, follow the steps given below:

  1. Creating the Client Credentials on GCP

  2. Creating the JWT Token

  3. Fetching the Public Key

  4. Obtaining the Issuer

  5. Calling the CRDP API

1. Creating the Client Credentials on GCP

  1. Search APIs & Services on the Google console page.

  2. Click Credentials on the left navigation pane to create the web client credentials.

  3. Click + CREATE CREDENTIALS and select the OAuth client ID option to create the OAuth 2.0 client ID.

  4. Provide the name of OAuth 2.0 client. This name is used to identify the client on console.

  5. Add http://localhost or any URI in the Authorized redirect URIs and click Save.

2. Creating the JWT Token

The JWT token can be created using Cloud Shell, Curl Utility, and Postman. Click the desired tab for details.

  1. Activate the GCP Cloud Shell by clicking the highlighted button on the tog right corner.

  2. Type the gcloud auth print-identity-token command on the cloud shell console and authorize the prompt.

  1. Open the below URL on the browser by adding the value for client_id and redirect_uri.

    https://accounts.google.com/o/oauth2/v2/auth?client_id=<client_id>&redirect_uri=<URI>&response_type=code&scope=https://www.googleapis.com/auth/userinfo.profile&access_type=offline

    Select the Google account and click Continue to provide the authorize permission.

  2. In the response, select the code part and enter it in the below URL along with client_id, client_secret, and redirect_uri.

    curl --request POST --data "code=<code>&scope=profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&client_id=<client_id>&client_secret=<secret>&redirect_uri=<URI>&grant_type=authorization_code" https://oauth2.googleapis.com/token

  3. Run the above curl command and you will get the response as shown below:

    {
  "access_token": "ya29.a0AXooCgtYo4kqzUfCJlv2uzYbLyizUlDx5hiq_c1t4x-QNU1LyhTK_LEj8GZqJN-koU6OriAclPVzq8xeTJmg63baz2g8BkES5CMfMBuBnBMh10h_tl752bcBXv7WC2kzDXOuKhlvcMvl_5hgaccvxNUcqcLgoKzvBj_caCgYKARESARASFQHGX2MixO2DX8lG3wds7NaxFL3fxQ0171",
  "expires_in": 3599,
  "refresh_token": "1//09zNnjf0TAT7-CgYIARAAGAkSNwF-L9IrPlxjyEcM_NVlRoDSfFofYygkrAa4BBz5bhg01rc-bdkOIe3_wet6OClbEMDz9iOoQgg",
  "scope": "https://www.googleapis.com/auth/userinfo.profile",
  "token_type": "Bearer",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImFjM2UzZTU1ODExMWM3YzdhNzVjNWI2NTEzNGQyMmY2M2VlMDA2ZDAiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIxMTkzMjI5MDMwNS1ycDRudjIxbGdrZGR0ZmRhcDhxYWlmMmMxYjNlNm1oMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjExOTMyMjkwMzA1LXJwNG52MjFsZ2tkZHRmZGFwOHFhaWYyYzFiM2U2bWgwLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTE2MzI1NDcxNTI0OTYxMjIxOTY2IiwiYXRfaGFzaCI6Im1ZbXQyTE05ckJaQ2Y1clVXVmZDYlEiLCJuYW1lIjoidmluZXkgc2luZ2FsIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0tuQjU2eFU0X0hUemNBYTNHYWFrcXJpcUNDNEcwaWotV0lPb1ZSYkFVRUFtdWZJeml2PXM5Ni1jIiwiZ2l2ZW5fbmFtZSI6InZpbmV5IiwiZmFtaWx5X25hbWUiOiJzaW5nYWwiLCJpYXQiOjE3MTUzMzM0MjUsImV4cCI6MTcxNTMzNzAyNX0.E079NCMQpBqIdqWyYXj1b9pBlDGbm-MsUke5-FMnhk3nqsAbJCzoFfOQkRO5ijSluTa3SrMhWVH0n-2V7i3sLihGO2WOR3PLh2wiZ15og43eOFTP4_Lkbpp-8M6RcHFbTTd6hNmKH3_bXM6IWHZEJ7B_uERZJFhkXfnNmj_G6L-StwDHOFot1vTLRsxSbqzolMKrM4yqdPKLa-e9YVWK4nkhnuVd4FPDoIGp7mGStJ21N5C7PuxCsr8z-dG9YChsCEd3K6C68pLQGid_6HzUi_07U5fFAkW254Lt148oPOk_LRwfbmgoAIRd7tP1ZBACT_ovEbVB0j2S6uYMHEYO3g"
}

  1. Open the Postman app and click New Request.

  2. Select the Request Type as Post and add this URL in the Request URL.

  3. In the Authorization section, select the Type as OAuth 2.0 and Add authorization data to as Request URL.

  4. Fill the necessary fields in the Configure New Token section as shown below and click Get New Access Token.

    A dialog window Authentication complete appears for a few seconds and disappears automatically to show the below window:

  5. Copy the id_token and use it in the bearer token.

3. Fetching the Public Key

  1. Go to this link to get the JWK for the public key.

  2. You will get a set of JWKs, copy JWK key, whose kid is used to sign the JWT.

  3. Convert the JWK to PEM format. You can use this online tool for converting the JWK to PEM format.

    Now, you have obtained the public key, which can be used while creating CRDP application on the CipherTrust Manager.

4. Obtaining the Issuer

Go to this link to obtain the issuer. Here, accounts.google.com is the issuer, which can be used in CRDP application.

5. Calling the CRDP API

  1. One CRDP application with JWT verification enabled should be created on the CipherTrust Manager with the Google public key and issuer specified.

  2. Protection policy, access policy, and user sets should be created before calling the CRDP API.

  3. Go to the Authorization tab and select the Type as Bearer Token.

  4. Hit the CRDP API to get the response.

Note

  • The client_credentials grant type is not supported in GCP.

  • You can create the access tokens (opaque string of characters) in GCP, which you can use to authenticate the Google APIs. This type of token verification is not supported in CRDP.

  • You can use only identity JWT token, which can be verified by CRDP using the Google public key.

On this page