Create OIDC Identity Provider for Federated Idenities

Step 1: Navigate to Identity Providers

Navigate to IAM → Identity Providers in your Thalassa Cloud Console.

Step 2: Create New Identity Provider

Click “Create Provider”.

Step 3: Configure Identity Provider

Fill in the identity provider configuration:

Basic Information:

• Name: Choose a descriptive name (e.g., “github-actions”, “gitlab-ci”)
• Description: Optional description of the identity provider’s purpose

OIDC Configuration:

• OIDC Issuer URL: Enter your identity provider’s issuer URL
  • Example for GitHub Actions: https://token.actions.githubusercontent.com
  • This is the base URL that issues your OIDC tokens
  • Take note; this must match the exact issuers address, having a trailing / may break your Token Exchange matching.

JWKS Configuration: Choose one of the following options:

Option A: Automatic Discovery (Recommended)

• Leave JWKS endpoint blank to auto-discover from the issuer’s /.well-known/openid-configuration
• Thalassa Cloud will automatically fetch the JWKS endpoint from the issuer’s well-known configuration

Option B: Custom JWKS Endpoint

• Specify a custom JWKS endpoint URL if auto-discovery is not available
• Example: https://token.actions.githubusercontent.com/.well-known/jwks
• Use this if your identity provider uses a non-standard JWKS location

Option C: Custom JWKS JSON (Offline Use)

• Provide JWKS JSON content directly for offline scenarios or when endpoint access is restricted
• Useful for air-gapped environments or when you need to pin specific keys
• Example format:
  jwks.json

  {
    "keys": [
      {
        "kty": "RSA",
        "use": "sig",
        "kid": "...",
        "n": "...",
        "e": "..."
      }
    ]
  }

Step 4: Review and Save

1. Review your configuration
2. Click “Create Provider” or “Save”
3. The identity provider is now ready to be used by federated identities