Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Configure CRDP with identity providers

Configure GCP as IdP

search

Please Note:

printsuggest an edit

Configure GCP as IdP

This article provides the steps required to set up Google Cloud Platform (GCP) as Identity Provider (IdP), which would be helpful in creating CRDP application on the CipherTrust Manager with JWT verification enabled.

copy link to clipboardRequirements

After these requirements are fulfilled, follow the steps given below:

  1. Creating the Client Credentials on GCP

  2. Creating the JWT Token

  3. Fetching the Public Key

  4. Obtaining the Issuer

  5. Calling the CRDP API

copy link to clipboard1. Creating the Client Credentials on GCP

  1. Search APIs & Services on the Google console page.

  2. Click Credentials on the left navigation pane to create the web client credentials.

  3. Click + CREATE CREDENTIALS and select the OAuth client ID option to create the OAuth 2.0 client ID.

  4. Provide the name of OAuth 2.0 client. This name is used to identify the client on console.

  5. Add http://localhost or any URI in the Authorized redirect URIs and click Save.

copy link to clipboard2. Creating the JWT Token

The JWT token can be created using Cloud Shell, Curl Utility, and Postman. Click the desired tab for details.

  1. Activate the GCP Cloud Shell by clicking the highlighted button on the tog right corner.

  2. Type the gcloud auth print-identity-token command on the cloud shell console and authorize the prompt.

  1. Open the below URL on the browser by adding the value for client_id and redirect_uri.

    https://accounts.google.com/o/oauth2/v2/auth?client_id=<client_id>&redirect_uri=<URI>&response_type=code&scope=https://www.googleapis.com/auth/userinfo.profile&access_type=offline

    Select the Google account and click Continue to provide the authorize permission.

  2. In the response, select the code part and enter it in the below URL along with client_id, client_secret, and redirect_uri.

    curl --request POST --data "code=<code>&scope=profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&client_id=<client_id>&client_secret=<secret>&redirect_uri=<URI>&grant_type=authorization_code" https://oauth2.googleapis.com/token

  3. Run the above curl command and you will get the response as shown below:

    {
  "access_token": "ya29.a0AXooCgtYo4kqzUfCJlv2uzYbLyizUlDx5hiq_c1t4x-QNU1LyhTK_LEj8GZqJN-koU6OriAclPVzq8xeTJmg63baz2g8BkES5CMfMBuBnBMh10h_tl752bcBXv7WC2kzDXOuKhlvcMvl_5hgaccvxNUcqcLgoKzvBj_caCgYKARESARASFQHGX2MixO2DX8lG3wds7NaxFL3fxQ0171",
  "expires_in": 3599,
  "refresh_token": "1//09zNnjf0TAT7-CgYIARAAGAkSNwF-L9IrPlxjyEcM_NVlRoDSfFofYygkrAa4BBz5bhg01rc-bdkOIe3_wet6OClbEMDz9iOoQgg",
  "scope": "https://www.googleapis.com/auth/userinfo.profile",
  "token_type": "Bearer",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImFjM2UzZTU1ODExMWM3YzdhNzVjNWI2NTEzNGQyMmY2M2VlMDA2ZDAiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIxMTkzMjI5MDMwNS1ycDRudjIxbGdrZGR0ZmRhcDhxYWlmMmMxYjNlNm1oMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjExOTMyMjkwMzA1LXJwNG52MjFsZ2tkZHRmZGFwOHFhaWYyYzFiM2U2bWgwLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTE2MzI1NDcxNTI0OTYxMjIxOTY2IiwiYXRfaGFzaCI6Im1ZbXQyTE05ckJaQ2Y1clVXVmZDYlEiLCJuYW1lIjoidmluZXkgc2luZ2FsIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0tuQjU2eFU0X0hUemNBYTNHYWFrcXJpcUNDNEcwaWotV0lPb1ZSYkFVRUFtdWZJeml2PXM5Ni1jIiwiZ2l2ZW5fbmFtZSI6InZpbmV5IiwiZmFtaWx5X25hbWUiOiJzaW5nYWwiLCJpYXQiOjE3MTUzMzM0MjUsImV4cCI6MTcxNTMzNzAyNX0.E079NCMQpBqIdqWyYXj1b9pBlDGbm-MsUke5-FMnhk3nqsAbJCzoFfOQkRO5ijSluTa3SrMhWVH0n-2V7i3sLihGO2WOR3PLh2wiZ15og43eOFTP4_Lkbpp-8M6RcHFbTTd6hNmKH3_bXM6IWHZEJ7B_uERZJFhkXfnNmj_G6L-StwDHOFot1vTLRsxSbqzolMKrM4yqdPKLa-e9YVWK4nkhnuVd4FPDoIGp7mGStJ21N5C7PuxCsr8z-dG9YChsCEd3K6C68pLQGid_6HzUi_07U5fFAkW254Lt148oPOk_LRwfbmgoAIRd7tP1ZBACT_ovEbVB0j2S6uYMHEYO3g"
}

  1. Open the Postman app and click New Request.

  2. Select the Request Type as Post and add this URL in the Request URL.

  3. In the Authorization section, select the Type as OAuth 2.0 and Add authorization data to as Request URL.

  4. Fill the necessary fields in the Configure New Token section as shown below and click Get New Access Token.

    A dialog window Authentication complete appears for a few seconds and disappears automatically to show the below window:

  5. Copy the id_token and use it in the bearer token.

copy link to clipboard3. Fetching the Public Key

  1. Go to this link to get the JWK for the public key.

  2. You will get a set of JWKs, copy JWK key, whose kid is used to sign the JWT.

  3. Convert the JWK to PEM format. You can use this online tool for converting the JWK to PEM format.

    Now, you have obtained the public key, which can be used while creating CRDP application on the CipherTrust Manager.

copy link to clipboard4. Obtaining the Issuer

Go to this link to obtain the issuer. Here, accounts.google.com is the issuer, which can be used in CRDP application.

copy link to clipboard5. Calling the CRDP API

  1. One CRDP application with JWT verification enabled should be created on the CipherTrust Manager with the Google public key and issuer specified.

  2. Protection policy, access policy, and user sets should be created before calling the CRDP API.

  3. Go to the Authorization tab and select the Type as Bearer Token.

  4. Hit the CRDP API to get the response.

Note

  • The client_credentials grant type is not supported in GCP.

  • You can create the access tokens (opaque string of characters) in GCP, which you can use to authenticate the Google APIs. This type of token verification is not supported in CRDP.

  • You can use only identity JWT token, which can be verified by CRDP using the Google public key.

On this page