Skip to main content
During CMEK onboarding, your IT admin creates an SSO application in your identity provider so your team can access GCP Console to manage encryption keys and view audit logs. This page provides the settings your IT admin needs.
Parable provides the values marked from Parable during onboarding. If you don’t have them yet, contact support@askparable.com.

Choose your protocol

Most identity providers support both OIDC and SAML. OIDC is simpler to set up — use it unless your organization requires SAML.

OIDC application setup

Create a new Custom OIDC application in your identity provider with these settings:
SettingValue
App nameParable CMEK Access (or any name your team prefers)
Redirect URIProvided by Parable
Login URLProvided by Parable
Grant typeAuthorization Code
Client authenticationClient Secret Basic
Scopesopenid, profile, email
1

Create the OIDC application

In your IdP admin console, create a new custom OIDC application. Enter the Redirect URI and Login URL provided by Parable.
2

Assign users or groups

Assign the users or groups who should have access to your encryption keys. Anyone assigned to this application can sign in — you can add or remove users at any time without contacting Parable.
3

Send credentials to Parable

Share the following with your Parable contact (via a secure channel such as 1Password or your organization’s preferred method):
  • Client ID
  • Client Secret
  • Issuer URL (e.g. https://your-org.okta.com/ or https://oauth.id.jumpcloud.com/)
4

Parable completes configuration

Parable configures the federation and sends you back:
  • A sign-in link for GCP Console
  • A direct link to your encryption keyring
  • A direct link to your audit logs
Your team can also access GCP Console from the app in your IdP’s portal.
  1. Go to Applications → Create App Integration → OIDC - OpenID Connect → Web Application
  2. Set the Sign-in redirect URI to the Redirect URI from Parable
  3. Under Assignments, assign the relevant users or groups
  4. Copy the Client ID and Client Secret from the app’s General tab
  5. Your Issuer URL is https://your-org.okta.com/
  1. Go to App registrations → New registration
  2. Set the Redirect URI (Web) to the Redirect URI from Parable
  3. Under Certificates & secrets, create a new client secret
  4. Copy the Application (client) ID and the secret value
  5. Your Issuer URL is https://login.microsoftonline.com/{tenant-id}/v2.0
  1. Go to SSO Applications → Add New Application → Custom OIDC App
  2. Set Redirect URI and Login URL from Parable
  3. Set Client Authentication Type to Client Secret Basic
  4. Check Email and Profile under Standard Scopes
  5. Assign your test user or group
  6. Copy the Client ID and Client Secret
  7. Issuer URL is https://oauth.id.jumpcloud.com/

What happens after setup

Once Parable completes the federation:
  • You control access. Add or remove users from the SSO application in your IdP at any time. Changes take effect immediately — no Parable involvement needed.
  • No Google account required. Your team signs in with their existing corporate credentials.
  • No Terms of Service to accept. Federated users are temporary users of Parable’s GCP project, covered by Parable’s existing agreement with Google.
If you need to change your IdP or rotate credentials, contact support@askparable.com.