This guide shows you how to set up access to the Google Cloud workforce identity federation console, also known as the console (federated), from your identity provider (IdP) and shows you how to provide access instructions to your users.
Before you begin
Configure workforce identity federation in your Google Cloud organization, including a workforce identity pool and a workforce identity pool provider. Alternatively, if you use one of the following IdPs, see the IdP-specific guides for more information:
Note your workforce identity pool provider name, which you use later in this guide.
Set up redirect URLs in your IdP
You can configure your IdP to post an IdP response and redirect your user to the console (federated) after your user authenticates. To do this, you must configure a redirect URL and set it in your IdP configuration.
To create the redirect URL, do the following:
Share the name of the workforce identity pool provider with your users. It is formatted as follows:
Replace the following:
WORKFORCE_POOL_ID: the workforce identity pool ID.
WORKFORCE_PROVIDER_ID: the workforce identity provider ID.
Create the redirect URL. It is formatted as follows:
WORKFORCE_POOL_PROVIDER_NAMEwith the workforce identity pool provider name from the previous step.
Configure your IdP with the redirect URL.
In your IdP, enter the redirect URL. The field into which you enter the URL can vary.
In your IdP, the field might be called
Your IdP sends the response and name token to this URL.
In your IdP, the field might be called
Single sign-on URLor
SAML assertion consumer service (ACS) URL.
Your IdP posts the SAML assertion to this URL.
If you want to enable IdP-initiated login with your SAML provider, enter the following URL in the
Default RelayStatesetting, or its equivalent. The IdP redirects your user to this URL after your user successfully authenticates:
Inform your users how to sign in
This section describes the different ways your users can sign in to the console (federated).
Start the sign-in process using an SSO link
To start the sign-in process with your IdP, you can share a link with your users that redirects them to your IdP without prompting them for the provider name. After users successfully login, they are automatically redirected to the console (federated).
To use this method, send the following login link to your users:
Start the sign-in process using the console (federated)
To start the sign-in process at the console (federated), do the following:
Provide your users with your workforce identity pool provider name described earlier in this document.
Provide your users with the following link to the console (federated):
When your users first access the console (federated), they are prompted to enter the workforce identity pool provider name. They are then redirected to your IdP to authenticate. After they authenticate, they are redirected back to the console (federated).
Use SAML IdP-initiated sign-in
The SAML specification defines a flow called IdP-initiated sign-in, in which users initiate the sign-in process at the IdP. If your IdP supports this flow, you can share the details with your users.
Use the console (federated) vs. the Google Cloud console
The console (federated) provides limited access to only those Google Cloud products that support workforce identity federation. Because of this, when using the console (federated), you see a limited number of Google Cloud products, and the product UIs themselves might have further limitations when viewed in the console (federated).
To learn more about products that support workforce identity federation and related limitations, see Workforce identity federation: supported products and limitations.
The Google Cloud console, by comparison, can provide full access to all products and features, depending on roles granted to users.