Temporary access to GCP console (GUI not API) using Keycloak as a SAML Identity Broker

I’m looking for a way to allow for short lived SAML access to Google Cloud GUI (via Cloud Identity SSO).

Vault has the option to issue short lived OIDC Identity Tokens.

So I was thinking I could use Keycloak as the Identity Broker for SAML to OIDC for Vault. Then Vault would be configured with the AuthMethod of choice (like GitHub for example). However, the more I look at this model, it seems like there must be a better way:

  • Goto GCP “ServiceLogin?” login URL
  • Redirects to Keycloak (SAML)
  • Redirects to Vault login (OIDC)
    • authN to Vault w/ GitHub (for example; OIDC)
  • Vault returns a new short lived token → Keycloak translates to SAML → Cloud Identity logs you in.

Is there a better way? Do I even need Vault for a configuration like this? I feel like I just need a nudge in the right direction.