{"id":21354977,"url":"https://github.com/salrashid123/workforce-federation","last_synced_at":"2025-03-16T05:23:33.968Z","repository":{"id":91310219,"uuid":"529300704","full_name":"salrashid123/workforce-federation","owner":"salrashid123","description":"Simple demo of GCP WorkForce Federation with SAML","archived":false,"fork":false,"pushed_at":"2023-05-31T20:13:53.000Z","size":671,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-22T17:47:12.703Z","etag":null,"topics":["authentication","federation","google-cloud","google-cloud-platform","login"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-26T14:58:50.000Z","updated_at":"2023-06-24T18:52:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"eeb5de33-3022-4a77-9773-f35c982ddf2e","html_url":"https://github.com/salrashid123/workforce-federation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fworkforce-federation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fworkforce-federation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fworkforce-federation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Fworkforce-federation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/workforce-federation/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243828625,"owners_count":20354533,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","federation","google-cloud","google-cloud-platform","login"],"created_at":"2024-11-22T04:15:30.303Z","updated_at":"2025-03-16T05:23:33.960Z","avatar_url":"https://github.com/salrashid123.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Using Google Cloud Workforce Identity Federation with SAML\n\nA sample demo of using GCP [WorkForce Identity Federation](https://cloud.google.com/iam/docs/workforce-identity-federation) using a local `SAML IDP server`.\n\n`Workforce Identity Federation` allows you to manage GCP Resource through `gcloud` cli or `Google Cloud Console` using your own SSO system and Identity Provider.   While you can import, map and and synchronize your users in your own `Active Directory`, `SAML` or `OIDC` based identity provider into [Google Cloud Identity](https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts), you still need to synchronize users, groups and what not.\n\nWith Work**Force** Identity, you still retain your users in your IDP but instead of synchronizing users, you will map and federate login and access to GCP resources.  In this mode, you still use your own SSO system but access to the resource is using a federated identity binding.\n\nNote, this is about _WorkForce_ Federation (users).  _[WorkLoad_ Federation](https://cloud.google.com/iam/docs/workload-identity-federation) is more services accessing GCP Resources.   WorkForce operates at the organization level while WorLoad is at the project level.\n\n\n\u003e\u003e The sample SSO Servers here is NOT supported by google!  Just in non-prod and even then just to test; remember to remove the configuration.\n\nWhat this article shows is a trivial WorkForce Federation configuration using a standalone SAML SSO IDP server i wrote maybe 10years ago. \n\nIn this flow, we will configure your cloud organization to accept your own  IDP that is running locally and access GCP through `gcloud` and `Cloud Console`.\n\nFor example, you can map your user to a `principal://` (user) or use group claims to map to a group `principalSet://`\n\nso a mapped user\n\n `alice@domain.com` -\u003e `principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/alice@domain.com`\n\ncan then be bound to a GCP resource's IAM:\n\n```bash\ngcloud projects add-iam-policy-binding  $PROJECT_ID   \\\n    --member='principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/alice@domain.com' \\\n\t--role='roles/pubsub.viewer'\n```\n\n\nYou'll need access to a cloud org to create the configuration...\n\n\u003e\u003e\u003e **NOTE** I do NOT really expect you to configure this end-to-end using a demo SSO provider here with the built-in certificates.  While you can follow this end-to-end, atleast generate your own certificates (eg, `server.crt`, `server.key` and then use that public cert in `iap_metadata.xml` file).  Once you i would recommend immediately disabling the configuration...\n\n\n---\n\n### References\n\n`Workload Identity`\n  * [GCP Workload Identity Federation using SAML](https://blog.salrashid.dev/articles/2022/gcpcompat-saml/)\n  * [Understanding workload identity federation](https://blog.salrashid.dev/articles/2021/understanding_workload_identity_federation/)\n[Create Root CA Key and cert](https://github.com/salrashid123/ca_scratchpad)\n---\n\n\n### Setup\n\n\nTo set this up, you need to be a domain admin and pick a project where we will access resources:\n\n\n```bash\ngcloud config set account admin@yourdomain.com\ngcloud config set project host_project_id\n\nexport GCLOUD_USER=`gcloud config get-value core/account`\nexport PROJECT_ID=`gcloud config get-value core/project`\nexport PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'`\n\n\n$ gcloud organizations list\n    DISPLAY_NAME               ID  DIRECTORY_CUSTOMER_ID\n    yourdomain.com  673208781234              C023zw3bc\n\n# if your org id is 673208781234\nexport POOL_ID=wfpool-saml\nexport PROVIDER_ID=wfprovider-saml\nexport LOCATION=global\nexport BILLING_PROJECT_ID=$PROJECT_ID\nexport ORGANIZATION_ID=673208781234\n\ngcloud config set billing/quota_project $BILLING_PROJECT_ID\n\ngcloud organizations add-iam-policy-binding $ORGANIZATION_ID \\\n    --member \"user:$GCLOUD_USER\" --role roles/iam.workforcePoolAdmin \n```\n\n\n### Configure the SAML provider\n\nThe SAML IDP server we will use here will run locally with docker:\n\n* [UI SAML SSO Server](https://github.com/salrashid123/googlapps-sso):  \n  this SSO server will use a UI login screen.  We will use this for Console access redirect\n* [CLI SAML SSO Server](https://github.com/salrashid123/gcpcompat-saml): \n  this SSO server is purely command line and 'Just issues\" a SAML Assertion for you automatically.  \n  Simulates some other external process \"just creating\" a saml assertion which will get written to a file. \n  This is used by `gcloud`.  You can ofcourse use the GUI login and then \"copy and paste\" the encoded assertion to the file\n\nWe will be using the same `idp_metadata.xml` file with the same certificate here for simplicity\n\n\nSo first get both:\n\n```bash\ngit clone https://github.com/salrashid123/gcpcompat-saml\ngit clone https://github.com/salrashid123/googlapps-sso\n```\n\nEdit `/etc/hosts`\n\n```\n127.0.0.1\tsso.idpdomain.com\n```\n\nNow create the pools and providers\n```bash\ngcloud beta iam workforce-pools create $POOL_ID \\\n    --location=\"global\" --organization=$ORGANIZATION_ID  \\\n    --description=\"WorkForce Pool SAML\" \\\n    --display-name=\"WorkForce Pool SAML\" --billing-project=$BILLING_PROJECT_ID\n\n\ngcloud iam workforce-pools providers create-saml  $PROVIDER_ID \\\n   --location=global  \\\n   --workforce-pool  $POOL_ID \\\n   --display-name \"idp-us-employees-saml\" \\\n   --description \"IdP for Acme US employees SAML\" \\\n    --idp-metadata-path=\"idp_metadata.xml\" \\\n    --attribute-mapping=\"google.subject=assertion.subject,google.groups=assertion.attributes['mygroups']\"  \\\n\t--project $PROJECT_ID --billing-project=$BILLING_PROJECT_ID\n```\n\nCreate bindings for the `principal://` to some resources in a givne project\n```bash\ngcloud projects add-iam-policy-binding  $PROJECT_ID   \\\n    --member='principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/alice@domain.com' \\\n\t--role='roles/pubsub.viewer'\n\ngcloud projects add-iam-policy-binding  $PROJECT_ID    \\\n    --member='principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/alice@domain.com' \\\n\t--role='roles/storage.objectViewer'\n\n\ngcloud projects add-iam-policy-binding  $PROJECT_ID   \\\n    --member='principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/alice@domain.com' \\\n\t--role='roles/serviceusage.serviceUsageConsumer'\n\n\ngcloud projects add-iam-policy-binding  $PROJECT_ID  \\\n     --member='principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/alice@domain.com'  \\\n\t --role='roles/viewer'\n```\n\n#### Start Console IDP\n\nNow start the IDP docker container\n\n```\ncd googleapps-sso\n  docker run -t -p 28080:28080 \\\n    -v `pwd`:/app/:ro \\\n    --entrypoint=/app/saml_idp_gsuites.py \\\n    salrashid123/appssso \\\n    --debug  \\\n    --cert_file=/app/server.crt \\\n    --key_file=/app/server.key\n```\n\nGoto:\n\n* [https://auth.cloud.google/signin?continueUrl=https://console.cloud.google](https://auth.cloud.google/signin?continueUrl=https://console.cloud.google)\n\n\nand enter in your provider `locations/global/workforcePools/$POOL_ID/providers/$PROVIDER_ID`\n\n\n![images/login.png](images/login.png)\n\n\nOnce you enter that in, you should get redirected to the SSO login.  Enter in `alice@domain.com` and you should see a interstitial page here\n\n![images/saml_post.png](images/saml_post.png)\n\n\nClick continue...you should be on a modified console where you can view resources on \n\n- `GCS`\n\n![images/gcs_federated.png](images/gcs_federated.png)\n\n\n- `BQ`\n\n![images/bq_federated.png](images/bq_federated.png)\n\n- `PubSub`\n![images/pubsub_audit_log.png](images/pubsub_audit_log.png)\n\n\nIf you enabled audit logs, you'll see access to the resources as the federated `principal://`\n\n![images/bq_audit_log.png](images/bq_audit_log.png)\n\n\n\n### gcloud CLI\n\nFor gcloud CLI, we need someway to pump the SAML Assertion  to a file or accessible via website:\n\nIn our case, we'll pump it to a file by you can certainly delegate it to an executable file on your workstation:\n\n\n```json\n{\n  \"type\": \"external_account\",\n  ...\n  ...\n  \"credential_source\": {\n    \"executable\": {\n      \"command\": \"/path/to/executable --arg1=value1 --arg2=value2\",\n      \"timeout_millis\": 5000,\n      \"output_file\": \"/path/to/cached/credentials\"\n    }\n  }\n}\n```\n\n\nsee [https://google.aip.dev/auth/4117](https://google.aip.dev/auth/4117) and the `--executable-command=` argument for [gcloud cli](https://cloud.google.com/sdk/gcloud/reference/iam/workload-identity-pools/create-cred-config)\n\n\nanyway, for now we'll just save the raw token to a readable file (which is't realistic but this is a demo and i don't want to write the executable )\n\n\n```bash\ncd gcpcompat-saml\nexport SAML_TOKEN=`docker run -t -v $PWD:/app/:ro     --entrypoint=/app/getsamlassertion.py     salrashid123/appssso     --debug      --cert_file=/app/server.crt     --key_file=/app/server.key --user=alice@domain.com  --audience=https://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/providers/$PROVIDER_ID`\n\necho $SAML_TOKEN\n\necho -n $SAML_TOKEN \u003e /tmp/samlassertion.txt\n```\n\n\nNow create an ADC and gcloud config:\n\n```bash\ngcloud iam workforce-pools create-cred-config \\\n    locations/global/workforcePools/$POOL_ID/providers/$PROVIDER_ID \\\n    --output-file=sts-creds-saml.json \\\n    --credential-source-file=\"/tmp/samlassertion.txt\" \\\n    --credential-source-type=text \\\n    --workforce-pool-user-project $BILLING_PROJECT_ID \\\n    --subject-token-type=urn:ietf:params:oauth:token-type:saml2 \\\n    --output-file=saml-creds.json\n```\n\nNow login to gcloud CLI\n\n```bash\ngcloud auth login --cred-file=saml-creds.json\n```\n\nYou should see the `principal://` for this user and access all the same resources as in the console\n\n\n```bash\n$ gcloud pubsub topics list --billing-project=$BILLING_PROJECT_ID\n\n$ gcloud alpha bq  tables list --dataset=test --billing-project=$BILLING_PROJECT_ID\n```\n\n### curl\n\nIf you want to see the same STS flow using `curl`:\n\n```bash\ncurl -s https://sts.googleapis.com/v1/token \\\n--data-urlencode \"audience=//iam.googleapis.com/locations/$LOCATION/workforcePools/$POOL_ID/providers/$PROVIDER_ID\" \\\n--data-urlencode \"grant_type=urn:ietf:params:oauth:grant-type:token-exchange\" \\\n--data-urlencode \"requested_token_type=urn:ietf:params:oauth:token-type:access_token\" \\\n--data-urlencode \"scope=https://www.googleapis.com/auth/cloud-platform\" \\\n--data-urlencode \"subject_token_type=urn:ietf:params:oauth:token-type:saml2\" \\\n--data-urlencode \"subject_token=$SAML_TOKEN\"  \\\n--data-urlencode \"options={\\\"userProject\\\":\\\"$BILLING_PROJECT_ID\\\"}\"  | jq -r '.access_token' \n\n### enter the STS TOKEN returned into an env-var\nexport STS_TOKEN=\"the_token\"\n```\n\nNow use the `STS_TOKEN` in GCP API calls\n\n```bash\ncurl  -H \"X-Goog-User-Project: $PROJECT_NUMBER\"   -H \"Authorization: Bearer $STS_TOKEN\"    https://pubsub.googleapis.com/v1/projects/$PROJECT_ID/topics\n\ncurl  -H \"X-Goog-User-Project: $PROJECT_NUMBER\" \\\n  -H \"Authorization: Bearer $STS_TOKEN\" \\\n    https://bigquery.googleapis.com/bigquery/v2/projects/$PROJECT_ID/datasets/test/tables \n```\n\n\nYou can also access resource using `Application Default Credentials`\n\n```bash\nexport GOOGLE_APPLICATION_CREDENTIALS=$PWD/sts-creds.json\n\n# with curl\ncurl  -H \"X-Goog-User-Project: $PROJECT_NUMBER\"  \\\n    -H \"Authorization: Bearer `gcloud auth application-default print-access-token`\"    https://pubsub.googleapis.com/v1/projects/$PROJECT_ID/topics\n\ncurl  -H \"X-Goog-User-Project: $PROJECT_NUMBER\"  \\\n   -H \"Authorization: Bearer `gcloud auth print-access-token`\"    https://pubsub.googleapis.com/v1/projects/$PROJECT_ID/topics\n\n# with cloud-sdk app; edit main.go and enter the projectID\ncd client/\ngo run main.go\n```\n\n---\n\n### Mapping Group Attributes\n\nThe default tutorial here maps just a single user over:\n\n `alice@domain.com` -\u003e `principal://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/subject/alice@domain.com`\n\nThe more efficient way is to map a SAML attribute that identifies the groups the user is in and then bind the IAM permission to the group label.\n\nIn this you can configure a [attribute mapping](Ihttps://cloud.google.com/iam/docs/configuring-workload-identity-federation#mappings-and-conditions) using a `principalSet://`\n\n\nRemember we configured the provider with an attribute mappeing\n\n```\n    --attribute-mapping=\"google.subject=assertion.subject,google.groups=assertion.attributes['mygroups']\"\n```\n\n\nWhat that means is that google will use the assertions `Attribute` value for `groups` to extract/enumerate the values\n\n\n```xml\n\t\t\u003csaml:AttributeStatement\u003e\n\t\t\t\u003csaml:Attribute Name=\"mygroups\"\u003e\n\t\t\t\t\u003csaml:AttributeValue\u003essoappgroup\u003c/saml:AttributeValue\u003e\n\t\t\t\t\u003csaml:AttributeValue\u003egroup1_3\u003c/saml:AttributeValue\u003e\n\t\t\t\u003c/saml:Attribute\u003e\n\t\t\u003c/saml:AttributeStatement\u003e\n```\n\nMeaning that the you can make a binding like this\n\n```bash\ngsutil iam ch \\\n   prinicpalSet://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/group/ssogroup:objectValue \\\n    gs://$PROJECT_ID-bucket\n```\n\n### Enable/Disable \n\nIf you've made it this far, disable the config:\n\n```bash\ngcloud  iam workforce-pools providers update-saml  $PROVIDER_ID \\\n  --location=$LOCATION  --workforce-pool  $POOL_ID \\\n   --billing-project=$BILLING_PROJECT_ID --disabled\n\n gcloud beta iam workforce-pools  update   $POOL_ID \\\n     --location=\"global\"  --billing-project=$BILLING_PROJECT_ID --disabled \n\n### if you want to reenable, use curl, the update via gcloud doens't support the fieldmask\n\ncurl -X PATCH -H \"Authorization: Bearer `gcloud auth print-access-token`\" \\\n  -H \"X-Goog-User-Project: $BILLING_PROJECT_ID\" -d '{\"disabled\": false}'  \\\n   -H \"content-type: application/json\" \\\n    \"https://iam.googleapis.com/v1/$LOCATION/workforcePools/$POOL_ID?alt=json\u0026updateMask=disabled\"\n\ncurl -X PATCH -H \"Authorization: Bearer `gcloud auth print-access-token`\" \\\n   -H \"X-Goog-User-Project: $BILLING_PROJECT_ID\" -d '{\"disabled\": false}'  \\\n    -H \"content-type: application/json\"  \\\n\t \"https://iam.googleapis.com/v1/locations/$LOCATION/workforcePools/$POOL_ID/providers/$PROVIDER_ID?alt=json\u0026updateMask=disabled\"\n\n```\n\nThats it! i'm headed to a winery now\n\n---\n\n### Appendix\n\n#### Sample SAML Assertion\n\n```xml\n\u003c?xml version=\"1.0\" ?\u003e\n\u003csamlp:Response Destination=\"https://auth.cloud.google/signin-callback/locations/global/workforcePools/$POOL_ID/providers/$PROVIDER_ID\" ID=\"_3489c1e22804c977323419a535f36fa\" InResponseTo=\"_3ed7d72d358088134ec5efc0b7f4aef\" IssueInstant=\"2022-08-26T10:51:16Z\" Version=\"2.0\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\u003e\n\t\u003csaml:Issuer\u003eauthn.py\u003c/saml:Issuer\u003e\n\t\u003cds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"\u003e\n\t\t\u003cds:SignedInfo\u003e\n\t\t\t\u003cds:CanonicalizationMethod Algorithm=\"http://www.w3.org/TR/2001/REC-xml-c14n-20010315\"/\u003e\n\t\t\t\u003cds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/\u003e\n\t\t\t\u003cds:Reference URI=\"#_3489c1e22804c977323419a535f36fa\"\u003e\n\t\t\t\t\u003cds:Transforms\u003e\n\t\t\t\t\t\u003cds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/\u003e\n\t\t\t\t\u003c/ds:Transforms\u003e\n\t\t\t\t\u003cds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/\u003e\n\t\t\t\t\u003cds:DigestValue\u003eLpjk/OsP0nnAanjTLBGwOAJn6k8=\u003c/ds:DigestValue\u003e\n\t\t\t\u003c/ds:Reference\u003e\n\t\t\u003c/ds:SignedInfo\u003e\n\t\t\u003cds:SignatureValue\u003eXmpU6OIzuSPaPUcov9a1+9iJmZKCVcEi9Dz4zh6PrSK/Hnq+W0cSCl6d59XrBMtc\nvoZ+pel6aT0AtlTFEqJuQkgFZ1u95I/U+aNxTSZv83GLr56JoD0zA2QQysnO2SjE\nyLJcr/QWnyj3CqSVqt+dG/y1vmnRF71KFrcPGCI8cjGJd43khyri9mntEQqDlN3m\nRlzWK2El0lUvXdTGE5wealOkhSrB6JMpOhdscJ4N5mnA8UliBKCZb0adf6UJM2Mn\nzK01X5mPlxgbPW6An9AhVWHEE6pO6SWljSQnqR4DDrT4y815JbCRmULss4nHSPZy\nw+3cxtxcxCIEhXjXKlTWPg==\u003c/ds:SignatureValue\u003e\n\t\t\u003cds:KeyInfo\u003e\n\t\t\t\u003cds:X509Data\u003e\n\t\t\t\t\n\n\t\t\t\t\u003cds:X509Certificate\u003eMIIEPjCCAyagAwIBAgIBATANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEP\nMA0GA1UECgwGR29vZ2xlMRMwEQYDVQQLDApFbnRlcnByaXNlMSIwIAYDVQQDDBlF\nbnRlcnByaXNlIFN1Ym9yZGluYXRlIENBMB4XDTIyMDEwOTIyMTAzNloXDTI3MDcw\nMjIyMTAzNlowUzELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkdvb2dsZTETMBEGA1UE\nCwwKRW50ZXJwcmlzZTEeMBwGA1UEAwwVc2VydmVyLnlvdXJkb21haW4uY29tMIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0PQuP452qvSZetyW/hqFIkg\nCCSc+6Ryw+rRPUIcVZIuibonJeSJe+TXPvonUEzAgpt858ji+FUsFVDsLmcX2yLF\nDO0AtV3JA04wbJb8bSujvVstzpVAvY/gIAADrs8gqybekgSnUxOtXlFeYmYjxdNF\nsx1qFqaE0nrRJzZIlarhaym38+Tta5+rJPlrZKOVoCgOqAYyQ5LH0/epEJh5U2Du\ng2aZRcdULdqORbftDqqliheG2atd/tCQxKxVHQrRnWmnyE0ZJEpnn9/faSX8vqtz\nZu/5Z4FUt5TcyB9dyKrvaKjGwM6ON+5QYsKI08FxlqQ/Uhp5PrRFni5TCmfJWQID\nAQABo4IBFzCCARMwDgYDVR0PAQH/BAQDAgeAMAkGA1UdEwQCMAAwEwYDVR0lBAww\nCgYIKwYBBQUHAwEwHQYDVR0OBBYEFEmBqhsOJAb2CGD7SiVS0tnJbQNOMB8GA1Ud\nIwQYMBaAFLe6sAKh5740xsEFXGZ45btTXaFUMEQGCCsGAQUFBwEBBDgwNjA0Bggr\nBgEFBQcwAoYoaHR0cDovL3BraS5lc29kZW1vYXBwMi5jb20vY2EvdGxzLWNhLmNl\ncjA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vcGtpLmVzb2RlbW9hcHAyLmNvbS9j\nYS90bHMtY2EuY3JsMCAGA1UdEQQZMBeCFXNlcnZlci55b3VyZG9tYWluLmNvbTAN\nBgkqhkiG9w0BAQsFAAOCAQEAghT4lTRNTN95pVLFqvopmuOhxt+MJVzGeeIwOZCH\nIP2GOWzucuHqxyhlvDHtDmJSGB4tsC5EExZ+nThQdNiLB0QfMzj+OHUQHeA3RQp5\nNgK3/Cvhzjd0zptC9X2pFC1vIRdvS+qGQMUbre0gZ01WCrd6p4WDRy8rblB9aW7J\nOVgo6zV+4yAgson4RYa70N7HlcWgwfYmlS6YhRNJKMJbjDSFj1aA8HkCoUQZlkES\nVT642mI/pwjL2U6eEyDVL0v+2yeDAsP4Jg+TdjNXumbLiWYIDUVa19Eqaz4LeXB+\nT1Y96kb1pfIDuUf92nSnoUmTn4cijwdub8WqlJXX9Q6RNw==\u003c/ds:X509Certificate\u003e\n\t\t\t\t\n\n\t\t\t\u003c/ds:X509Data\u003e\n\t\t\u003c/ds:KeyInfo\u003e\n\t\u003c/ds:Signature\u003e\n\t\u003csamlp:Status\u003e\n\t\t\u003csamlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/\u003e\n\t\u003c/samlp:Status\u003e\n\t\u003csaml:Assertion ID=\"_e0fbbfdc800f225dfad2e02007ec1db\" IssueInstant=\"2022-08-26T10:51:16Z\" Version=\"2.0\"\u003e\n\t\t\u003csaml:Issuer\u003eauthn.py\u003c/saml:Issuer\u003e\n\t\t\u003csaml:Subject\u003e\n\t\t\t\u003csaml:NameID\u003ealice@domain.com\u003c/saml:NameID\u003e\n\t\t\t\u003csaml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"\u003e\n\t\t\t\t\u003csaml:SubjectConfirmationData InResponseTo=\"_3ed7d72d358088134ec5efc0b7f4aef\" NotOnOrAfter=\"2022-08-26T11:41:16Z\" Recipient=\"https://auth.cloud.google/signin-callback/locations/global/workforcePools/$POOL_ID/providers/$PROVIDER_ID\"/\u003e\n\t\t\t\u003c/saml:SubjectConfirmation\u003e\n\t\t\u003c/saml:Subject\u003e\n\t\t\u003csaml:Conditions NotBefore=\"2022-08-26T10:51:16Z\" NotOnOrAfter=\"2022-08-26T11:41:16Z\"\u003e\n\t\t\t\u003csaml:AudienceRestriction\u003e\n\t\t\t\t\u003csaml:Audience\u003ehttps://iam.googleapis.com/locations/global/workforcePools/$POOL_ID/providers/$PROVIDER_ID\u003c/saml:Audience\u003e\n\t\t\t\u003c/saml:AudienceRestriction\u003e\n\t\t\u003c/saml:Conditions\u003e\n\t\t\u003csaml:AuthnStatement AuthnInstant=\"2022-08-26T10:51:16Z\" SessionIndex=\"_e0fbbfdc800f225dfad2e02007ec1db\"\u003e\n\t\t\t\u003csaml:AuthnContext\u003e\n\t\t\t\t\u003csaml:AuthnContextClassRef\u003eurn:oasis:names:tc:SAML:2.0:ac:classes:Password\u003c/saml:AuthnContextClassRef\u003e\n\t\t\t\u003c/saml:AuthnContext\u003e\n\t\t\u003c/saml:AuthnStatement\u003e\n\t\t\u003csaml:AttributeStatement\u003e\n\t\t\t\u003csaml:Attribute Name=\"mygroups\"\u003e\n\t\t\t\t\u003csaml:AttributeValue\u003essoappgroup\u003c/saml:AttributeValue\u003e\n\t\t\t\t\u003csaml:AttributeValue\u003egroup1_3\u003c/saml:AttributeValue\u003e\n\t\t\t\u003c/saml:Attribute\u003e\n\t\t\u003c/saml:AttributeStatement\u003e\n\t\u003c/saml:Assertion\u003e\n\u003c/samlp:Response\u003e\n\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fworkforce-federation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Fworkforce-federation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Fworkforce-federation/lists"}