docs(integrate): Google Cloud with Workforce Identity Federation (OIDC) (#5682)

* simplify sidebar

* initial draft

* Apply suggestions from code review

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Apply suggestions from code review

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

docs/docs/guides/integrate/services/atlassian-saml.md

@@ -1,5 +1,6 @@
 ---
 title: Connect with Atlassian through SAML 2.0
+sidebar_label: Atlassian
 ---
 
 This guide shows how to enable login with ZITADEL on Atlassian.

docs/docs/guides/integrate/services/auth0-oidc.mdx

@@ -1,5 +1,6 @@
 ---
 title: Connect with Auth0 through OIDC
+sidebar_label: Auth0 (OIDC)
 ---
 
 import CreateApp from "../application/_application.mdx";

docs/docs/guides/integrate/services/auth0-saml.md

@@ -1,5 +1,6 @@
 ---
 title: Connect with Auth0 through SAML 2.0
+sidebar_label: Auth0 (SAML)
 ---
 
 This guide shows how to enable login with ZITADEL on Auth0.

docs/docs/guides/integrate/services/aws-saml.md

@@ -1,5 +1,6 @@
 ---
 title: Connect with AWS through SAML 2.0
+sidebar_label: Amazon Web Services
 ---
 
 This guide shows how to enable login with ZITADEL on AWS SSO.

docs/docs/guides/integrate/services/gitlab-saml.md

@@ -1,5 +1,6 @@
 ---
 title: Connect with Gitlab through SAML 2.0 
+sidebar_label: Gitlab
 ---
 
 This guide shows how to enable login with ZITADEL on Gitlab.

docs/docs/guides/integrate/services/google-cloud.mdx

@@ -0,0 +1,132 @@
+---
+title: Google Cloud with Workforce Identity Federation (OIDC)
+sidebar_label: Google Cloud
+---
+
+import CreateApp from "../application/_application.mdx";
+
+This guide shows how to login users and assign roles with [Workforce Identity Federation to Google Cloud](https://cloud.google.com/iam/docs/workforce-identity-federation).
+
+It covers how to:
+
+- create and configure your application in ZITADEL
+- configure an Action to transform claims
+- create and configure the connection to Google Cloud with Workforce Identity Federation using OpenID Connect (OIDC)
+
+Prerequisites:
+
+- existing ZITADEL Instance, if not present follow [this guide](/guides/start/quickstart)
+- existing ZITADEL Organization, if not present follow [this guide](/guides/manage/console/organizations)
+- existing ZITADEL project, if not present follow the first 3 steps [here](/guides/manage/console/projects)
+- prerequisites on Google Cloud side [in the configuration guide](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation).
+
+> We have to switch between ZITADEL and a Google Cloud. If the headings begin with "ZITADEL" switch to the ZITADEL Console and if
+> the headings start with "Google Cloud" please refer to the configuration guide on Google Cloud.
+
+## **Google Cloud**: Configure
+
+Follow the steps **Before you begin**,  **Required roles**, and **create a workforce identity pool** (OIDC) in the [in the configuration guide](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation).
+
+Before you create the workforce identity pool provider you should create your application in ZITADEL.
+
+## **ZITADEL**: Create the application
+
+In your existing project:
+
+First of all we create the application in your project.
+
+:::info
+Google Cloud requires just an ID Token as JWT including the [described required and optional scopes](https://cloud.google.com/iam/docs/workforce-identity-federation#attribute-mappings).
+:::
+
+Create a new application and click on "I'm a pro. Skip this wizard."
+
+- **Application Type**: Web
+- **Grant Types**: Implicit
+- **Response Type**: ID Token
+- **Authentication Method**: None
+
+:::info
+You need to add the redirect URL and configure token settings after creating the application.
+:::
+
+![Create application screen](/img/guides/integrate/services/google-cloud-create-app.png)
+
+## **ZITADEL**: Redirect url
+
+![Redirect URL](/img/guides/integrate/services/google-cloud-redirect-url.png)
+
+After creating, go to the application settings "Redirect settings" and add the redirect url from Googles configuration guide. 
+It looks something like `https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID`.
+
+Save the settings.
+
+:::caution
+Make sure to replace the `WORKFORCE_POOL_ID` and `WORKFORCE_PROVIDER_ID` with your values in the redirect url
+:::
+
+## **ZITADEL**: Token settings
+
+![Token settings](/img/guides/integrate/services/google-cloud-token-settings.png)
+
+After creating, go to the application settings "Token settings" and configure as follows:
+
+- **Auth Token Type**: JWT
+- **Add user roles to the access token**: disabled (optional)
+- **User roles inside ID Token**: enabled
+- **User Info inside ID Token**: enabled
+
+Save the settings.
+
+## **ZITADEL**: Custom claims
+
+Go to your project and create roles according to the Groups in Google Cloud.
+Authorize a test user by assigning roles in ZITADEL.
+
+Google Cloud expects some claims, including groups, in a specific format as [described here](https://cloud.google.com/iam/docs/workforce-identity-federation#attribute-mappings).
+Claims can be transformed in ZITADEL with [Actions](/apis/actions/introduction).
+
+Create an Action with the following code to flatten the roles and include the claim for the users' display name.
+
+:::info
+If you want to configure a special attribute mapping in the workforce identity pool provider, then adjust the claims accordingly.
+:::
+
+```javascript
+function googleGroups(ctx, api) {
+  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
+    return;
+  }
+
+  let grants = [];
+  ctx.v1.user.grants.grants.forEach(claim => {
+    claim.roles.forEach(role => {
+        grants.push(claim.projectId+':'+role)  
+    })
+  })
+
+  api.v1.claims.setClaim('google.groups', grants)
+  api.v1.claims.setClaim('google.display_name', ctx.v1.getUser().human.displayName)
+}
+
+```
+
+![Action Code](/img/guides/integrate/services/google-cloud-action-code.png)
+
+
+
+:::caution
+Make sure that the name of the action matches the name of the function.
+:::
+
+And add the the Action Script to the following Flow and Trigger:
+
+- **Flow Type**: Complement Token
+- **Trigger Type**: Pre access token creation
+- **Actions**: googleGroups
+
+![Action Flow](/img/guides/integrate/services/google-cloud-action-flow.png)
+
+## **Google Cloud**: Create a WIP provider
+
+Complete the steps  in the [in the configuration guide](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation) with the `ISSUER_URI` and `CLIENT_ID` from ZITADEL.

docs/docs/guides/integrate/services/pingidentity-saml.md

@@ -1,5 +1,6 @@
 ---
 title: Connect with Ping Identity through SAML 2.0
+sidebar_label: Ping Identity
 ---
 
 This guide shows how to enable login with ZITADEL on Auth0.

docs/sidebars.js

@@ -211,6 +211,7 @@ module.exports = {
           items: [
             "guides/integrate/services/gitlab-self-hosted",
             "guides/integrate/services/aws-saml",
+            "guides/integrate/services/google-cloud",
             "guides/integrate/services/atlassian-saml",
             "guides/integrate/services/gitlab-saml",
             "guides/integrate/services/auth0-oidc",