Strata Copilot
    Next-Gen Trust Security
    : Workload Identity Federation - Azure Identity Provider Authentication
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Welcome to Integrations
    6. Cloud Providers Overview
    7. Configure Google Cloud Platform Connection
    8. Workload Identity Federation - Azure Identity Provider Authentication

    Next-Gen Trust Security

    Workload Identity Federation - Azure Identity Provider Authentication

    Table of Contents

    Workload Identity Federation - Azure Identity Provider Authentication

    This topic provides step-by-step instructions to set up a GCP Cloud Provider using Azure AD as the external identity provider through Workload Identity Federation (WIF). This method allows secure, token-based access without long-lived credentials.
    Note (Differences from Workload Identity Federation - Built-In Identity Provider): Unlike the built-in Workload Identity Federation procedure, this guide uses Azure Active Directory as the issuer instead of Next-Gen Trust Security. Some steps differ:
    • The Issuer URI comes from Azure AD, not Next-Gen Trust Security.
    • Attribute mapping is based on Azure claims (appid).
    • Service account binding uses the standard roles/iam.workloadIdentityUser role instead of a custom role.

    Step 1: Register an Application in Azure AD

    Performed in Azure Portal
    1. In the Azure Portal, go to All Services > App registrations.
    2. Click New registration.
    3. Name your app (e.g., azure-gcp-wif) and choose the appropriate account type.
    4. Click Register.
    5. Copy and save the following values:
      • Application (client) ID
      • Directory (tenant) ID

    Expose the Application

    1. In your app, go to Manage > Expose an API.
    2. Add an Application ID URI (e.g., api://<client-id>).
    3. Click Save.

    Step 2: Create a Client Secret

    Performed in Azure Portal
    1. In your app, go to Certificates & secrets.
    2. Click New client secret, provide a description, and select an expiration.
    3. Copy and save the secret value.

    Step 3: Enable Google APIs

    Performed in GCP
    1. In the GCP console, go to APIs & services > Library.
    2. Enable the following APIs:
      • IAM API
      • Cloud Resource Manager API
      • Certificate Manager API

    Step 4: Create a Google Service Account

    Performed in GCP
    Use the Workload Identity Federation - Azure Identity Provider authentication permissions when setting up a service account.
    1. Follow the steps at Create service accounts.
    2. Copy and save the service account email for later use.

    Step 5: Create a Custom Role for Certificate Provisioning

    Performed in GCP
    Use this permissions.yaml file:
     title: TLSPC Integration
 description: Permissions granted to TLSPC
 stage: GA
 includedPermissions:
   - certificatemanager.certs.create
   - certificatemanager.certs.get
   - certificatemanager.certs.list
   - certificatemanager.certs.update
   - certificatemanager.locations.list
   - certificatemanager.operations.get
   - resourcemanager.projects.get
    Run:
    gcloud iam roles create <tlspcIntegrationRole> --project=<PROJECT-ID> --file=permissions.yaml

    Step 6: Create a Workload Identity Pool

    Performed in GCP
    gcloud iam workload-identity-pools create "azure-pool" \
  --project="$GCP_PROJECT_ID" \
  --location="global" \
  --display-name="Azure Identity Pool"
    Save the pool ID (e.g., azure-pool).

    Step 7: Add an OIDC Provider to the Workload Identity Pool

    Performed in GCP
    gcloud iam workload-identity-pools providers create-oidc "azure-provider" \
  --project="$GCP_PROJECT_ID" \
  --location="global" \
  --workload-identity-pool="azure-pool" \
  --display-name="Azure OIDC Provider" \
  --issuer-uri="https://sts.windows.net/$AZURE_TENANT_ID" \
  --allowed-audiences="api://$AZURE_APP_CLIENT_ID" \
  --attribute-mapping="google.subject=assertion.appid,attribute.subject=assertion.appid"

    Suggestions

    • Use the same Workload Identity Pool ID from Step 6.
    • Replace $AZURE_TENANT_ID and $AZURE_APP_CLIENT_ID with values from your Azure AD app registration.
    • allowed-audiences should match either the Azure Client ID or the Application ID URI defined in the Expose the application step.
    • You can customize the provider ID (e.g., azure-provider) but record it for later use when creating the Cloud Provider in Next-Gen Trust Security.
    Save the provider ID (e.g., azure-provider).

    Step 8: Bind the Service Account to the Workload Identity Pool

    Performed in GCP
    gcloud iam service-accounts add-iam-policy-binding "<your_service_account>" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/azure-pool/attribute.subject/<AZURE_APP_CLIENT_ID>"
    Note: Ensure <AZURE_APP_CLIENT_ID> matches the allowed-audiences value you set in Step 7.

    Step 9: Create a Cloud Provider in Next-Gen Trust Security

    Performed in Next-Gen Trust Security
    1. Sign in to Next-Gen Trust Security.
    2. Click Configuration > Certificate Integrations > Cloud Providers.
    3. Click New and select Google.
    4. Enter a Name for the new cloud provider.
    5. Enter your Google Service Account Email (from Step 4).
    6. Select Workload Identity Federation – Azure Identity Provider.
    7. Fill in the required fields with the exact values:
      • Project number (from GCP dashboard)
      • Workload identity pool ID (from Step 6)
      • Workload identity pool provider ID (from Step 7)
      • Application (client) ID (from Azure AD app registration)
      • Directory (tenant) ID (from Azure AD app registration)
      • Client secret (from Step 2)
    8. Click Continue.
    9. Click Create.

    Step 10: Validate and Test the Connection

    Performed in Next-Gen Trust Security
    1. Click Configuration > Certificate Integrations > Cloud Providers.
    2. Find the new cloud provider created in Step 9.
    3. Click the more options
      button and select Validate.
    Note: A yellow icon
    indicates the provider has not been validated. It disappears after a successful validation.
    If validation fails, review your Azure and GCP settings and try again.

    Step 11: Add a Cloud Keystore

    Performed in Next-Gen Trust Security
    1. Sign in to Next-Gen Trust Security.
    2. Click Insights > Cloud Keystores.
    3. Click New and select Google.
    4. Enter a Name for the new cloud keystore.
    5. Select a GCP Cloud Provider.
    6. Enter a Project Name.
    7. Enter a GCM Region.
    8. (Optional) To discover certificates on your keystore, enable Start discovery immediately and Include expired certificates. Once complete, create a schedule.
    9. Click Save. The new cloud keystore appears in the Cloud Keystore list.

    Step 12: Provision a Certificate

    Performed in Next-Gen Trust Security
    1. Click the More actions (ellipsis) icon next to the cloud keystore you created, and then select Provision.
      Tip: From this menu, you can also delete certificates if needed.
    2. From the dropdown, search for the certificate you want to provision, select it, and then click Provision. This creates a new certificate installation on the cloud keystore.
    3. (Optional) You can also re-provision, replace, or delete an existing certificate.
      • Select your Cloud Keystore to open the details panel.
      • Click the More actions (ellipsis) icon next to the certificate.
      • Select Re-provision, Replace, or Delete, and complete the steps in the user interface.
      Info:
      • Re-provision re-installs the current certificate on the cloud keystore.
      • Replace substitutes the current certificate with a different one.
      • Delete removes the certificate from the cloud keystore.

    Set up GCP Discovery Schedule

    1. In the Next-Gen Trust Security toolbar, click Installations and select Cloud Keystores.
    2. Select the Cloud Keystore name you want to perform a discovery on.
    3. From the right pane, select Discovery configuration and enable:
      • Enable scheduled discovery
      • Include expired certificates
    4. Under Repeat, select Daily, Weekly, or Advanced, then choose a time.
    5. Click Save.

    © 2026 Palo Alto Networks, Inc. All rights reserved.