Skip to content
Gallery
1. IAM Overview
Cloud IAM
Organization & Folders
Cloud Identity
Workforce Identity Federation
Share
Explore

icon picker
Workforce Identity Federation

What is Workforce Identity Federation?

Workforce Identity Federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—using IAM, so that the users can access Google Cloud services. With Workforce Identity Federation you don't need to synchronize user identities from your existing IdP to Google Cloud identities, as you would with Cloud Identity's
Google Cloud Directory Sync (GCDS)
. Workforce Identity Federation extends Google Cloud's identity capabilities to support syncless, attribute-based single sign on.

After user authentication, information that is received from the IdP is used to determine the scope of access to the Google Cloud resources.
You can use Workforce Identity Federation with any IdP that supports
OpenID Connect (OIDC)
or
SAML 2.0
, such as Microsoft Entra ID, Active Directory Federation Services (AD FS), Okta, and others.

Workforce identity pools

Workforce identity pools let you manage groups of workforce identities and their access to Google Cloud resources.
Pools let you do the following:
Group user identities; for example, employees or partners
Grant IAM access to an entire pool or a subset thereof.
Federate identities from one or more IdPs.
Define policies on a group of users that require similar access permissions.
Specify IdP-specific configuration information, including
attribute mapping
and
attribute conditions
.
Enable the Google Cloud CLI and API access for third-party identities.
Log access by users within a pool to Cloud Audit Logs, along with the pool ID.
You can create multiple pools. For an example that describes one such approach, see
Example: Multiple workforce identity pools
.
Pools are configured at the
Google Cloud organization level
. Because of this, pools are available across all projects and folders within the organization, as long as you have the appropriate IAM permissions to view the pool. When you first set up Workforce Identity Federation for your organization, you provide a name for the pool. In IAM allow policies, you reference the pool by its name. Because of this, we recommend that you name the pool so that it clearly describes the identities it contains.

Ref:
Workforce Identity Federation  |  IAM Documentation  |  Google Cloud
What is Workforce Identity Federation?
Workforce identity pools
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.