Workforce identity federation

Stay organized with collections Save and categorize content based on your preferences.

This document describes the key concepts of workforce identity federation.

What is workforce identity federation?

Workforce identity federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—using IAM, so that the users can access Google Cloud services. With workforce identity federation you don't need to synchronize user identities from your existing IdP to Google Cloud identities, as you would with Cloud Identity's Google Cloud Directory Sync (GCDS). Workforce identity federation extends Google Cloud's identity capabilities to support syncless, attribute-based single sign on.

After user authentication, information that is received from the IdP is used to determine the scope of access to the Google Cloud resources.

You can use workforce identity federation with any IdP that supports OpenID Connect (OIDC) or SAML 2.0, such as Azure Active Directory (Azure AD), Active Directory Federation Services (AD FS), Okta, and others.

Workforce identity federation pools

Workforce identity federation pools let you manage groups of workforce identities and their access to Google Cloud resources.

Pools let you do the following:

  • Group user identities; for example, employees or partners
  • Grant IAM access to an entire pool or a subset thereof.
  • Federate identities from one or more IdPs.
  • Define policies on a group of users that require similar access permissions.
  • Specify IdP-specific configuration information, including attribute mapping and attribute conditions.
  • Enable the Google Cloud CLI and API access for third-party identities.
  • Log access by users within a pool to Cloud Audit Logs, along with the pool ID.

You can create multiple pools. For an example that describes one such approach, see Example: Multiple workforce identity pools.

Pools are configured at the Google Cloud organization level. Because of this, pools are available across all projects and folders within the organization, as long as you have the appropriate IAM permissions to view the pool. When you first set up workforce identity federation for your organization, you provide a name for the pool. In IAM allow policies, you reference the pool by its name. Because of this, we recommend that you name the pool so that it clearly describes the identities it contains.

Workforce identity pool providers

A workforce identity pool provider is an entity that describes a relationship between your Google Cloud organization and your IdP.

Workforce identity federation follows the OAuth 2.0 Token Exchange specification (RFC 8693). You provide a credential from your external identity provider to the Security Token Service, which verifies the identity in the credential, and then returns a short-lived Google Cloud access token in exchange.

Google Cloud workforce identity federation console

Users in a workforce identity pool can access the Google Cloud workforce identity federation console, also known as the console (federated). The console provides these users with UI access to Google Cloud products that support workforce identity federation.

Attribute mappings

Your IdP provides attributes, referred to by some IdPs as claims. Attributes contain information about your users. You can map these attributes for use by Google Cloud using Common Expression Language (CEL).

This section describes the set of required and optional attributes that Google Cloud provides.

You can also define custom attributes in your IdP that can then be used by specific Google Cloud products; for example in IAM allow policies.

The maximum size for attribute mappings is 4 KB.

The attributes are as follows:

  • google.subject (Required): a unique identifier for the authenticating user. It is often the subject assertion of the JWT, because Cloud Audit Logs logs record the contents of this field as the principal. You can use this field to configure IAM for authorization decisions. We recommend that you don't use a mutable value because if you change the value in your IdP's user directory, the user loses access.

    The maximum length is 127 bytes.

  • google.groups (Optional): the collection of groups that the authenticating user is a member of. You can configure a logic expression using a subset of CEL that produces an array of strings. You can also use this field to configure IAM for authorization decisions. Limitations for google.groups are as follows:

    • We recommend that you limit the group name to 100 characters.

    • If one user is associated with more than 100 groups, define a smaller set of groups, and only include those groups in assertions used to federate the user to Google Cloud.

    • If you use this attribute to grant access in IAM, every member in the mapped groups is granted access. Therefore, we recommend that you ensure that only authorized users in your organization can modify the membership of the mapped groups.

  • google.display_name (Optional): attribute that is used to set the name of the signed-in user in the Google Cloud console. This attribute can't be used in IAM allow policies nor in the attribute condition.

    The maximum length is 100 bytes.

  • google.profile_photo (Optional): a URL of the user's thumbnail photo. We recommend the photo to be 400x400 pixels. When this attribute is set, the image is visible as the user's profile picture in the Google Cloud console. If this value isn't set, or it can't be fetched, a generic user icon is displayed instead. This attribute can't be used in either IAM allow policies or in the attribute condition.

  • attribute.KEY (Optional): a customer-defined attribute that is present in a user's IdP token. You can use these custom attributes to define your authorization strategy in an IAM allow policy. For example, you can choose to define an attribute such as the user's cost center: attribute.costcenter = "1234". This attribute could then be used in IAM conditions to grant access only to users in that cost center.

    You can configure a maximum of 50 custom attribute mapping rules. The maximum size of each such rule is 2048 characters.

    Although we don't have restrictions on the attributes you can map here, we strongly recommend that you choose attributes whose values are stable. For example, an attribute like attribute.job_description might change for many reasons (such as improving its readability). As an alternative, consider using attribute.role. Changes to the latter indicate a change of assigned responsibility and align with changes in the access granted to the user.

Attribute conditions

Attribute conditions are optional CEL expressions that let you set constraints on the identity attributes that Google Cloud accepts.

The benefits of using attribute conditions include the following:

  • You can use attribute conditions to allow only a subset of external identities to authenticate to your Google Cloud project. For example, you might want to allow only those identities that are in a specific team to sign in, especially if you are using a public IdP. For another example, you might want to allow your accounting team to sign in, but not your engineering team.
  • Attribute conditions let you prevent credentials intended for use with another platform from being used with Google Cloud, and vice-versa. This helps avoid the confused deputy problem.

Represent workforce pool users in IAM policies

The following table shows the principal identifiers that you use to grant roles to a single user, a group of users, users carrying a particular claim, or all users from a workforce pool.

Identities Identifier format
Single identity in a workforce identity pool principal://iam.googleapis.com/locations/global/workforcePools/POOL_ID/subject/SUBJECT_ATTRIBUTE_VALUE
All workforce identities in a group principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/group/GROUP_ID
All workforce identities with a specific attribute value principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE
All identities in a workforce identity pool principalSet://iam.googleapis.com/locations/global/workforcePools/POOL_ID/*

Restrict cross-organization access

Workforce identity federation pool principals can't directly access resources outside of the organization that they belong to. However, if a principal is given permission to impersonate a service account within the organization this constraint can be bypassed as service accounts aren't equally restricted.

To restrict service accounts from accessing resources in other organizations, administrators can configure VPC Service Controls. Service accounts created in a project that is within a VPC Service Controls boundary aren't able to access resources in projects outside that boundary.

Workforce pools user project

Google Cloud services typically charge billing and quota use to the project that contains the resources (a resource project), while some Google Cloud APIs charge to a project that is specified in the API call. In those cases, a workforce identity federation pool user project is used for billing and quota purposes. The principal needs to have serviceusage.services.use permission on this project. If you're already using Google Cloud services, you can use an existing project for billing and quota purposes. If you don't have an existing project, you can create a new one. The new project can be used instead of your resource projects.

Example: multiple workforce identity federation pools

This section contains an example that illustrates typical use of multiple pools.

You can create one pool for employees and another for partners. Multinational organizations might create separate pools for different divisions in their organization. Pools allow for distributed management, in which different groups can independently manage their specific pool where roles are granted only to the identities in the pool.

For example, suppose that a company named Enterprise Example Organization contracts a different company named Partner Example Organization Inc to provide Google Kubernetes Engine (GKE) DevOps services. For Partner Example Organization workforce to provide the services, their workforce must be allowed to access Google Kubernetes Engine (GKE) and other Google Cloud resources in Enterprise Example Organization's organization. Enterprise Example organization already has a workforce identity federation pool called enterprise-example-organization-employees.

To allow Partner Example Organization to manage access to Enterprise Example Organization's resources, Enterprise Example Organization creates a separate workforce pool for Partner Example Organization workforce users so that Partner Example Organization can manage. Enterprise Example Organization provides the workforce pool to a Partner Example Organization administrator. Partner Example Organization's administrator uses their own IdP to grant access to their workforce.

To do this, Enterprise Example Organization's Admin performs the following tasks:

  1. Create an identity such as partner-organization-admin@example.com for the Partner Example Organization administrator in Enterprise Example Organization's IdP, which is already configured in the pool called enterprise-example-organization-employees.

  2. Create a new workforce pool called example-organization-partner.

  3. Create the following IAM policy for the example-organization-partner pool:

    {
      "bindings": [
        {
          "role": "roles/iam.workforcePoolEditor",
          "members": [
            "principalSet://iam.googleapis.com/locations/global/workforcePools/enterprise-example-organization-employees/subject/partner-organization-admin@example.com",
          ]
        }
      ]
    }
    
  4. Grant roles for example-organization-partner pool on the resources they need access to in Enterprise Example Organization's organization.

Partner Example Organization's admin can now configure the example-organization-partner pool to connect with their IdP. They can then allow Partner Example Organization workforce to sign in with Partner Example Organization's IdP credentials. After they sign in, Partner Example Organization workforce users can access Google Cloud resources, constrained by policies that are defined by Enterprise Example Organization.

Easier access management

In large enterprises, IT administrators often create security groups as part of a best-practices access-control model. Security groups govern access to internal resources. Further, companies often create additional groups for employees and other groups for partners to extend this access-control model to cloud resources. This can result in proliferation of deeply nested groups that can become very difficult to manage.

Your organization might also have policies that limit the number of groups that you can create so as to keep the user directory hierarchy reasonably flat. A better solution to prevent misconfiguration of IAM policies and limit growth of groups is to use multiple pools to create a broader separation of users from different organizational units and business units, and partner organizations. You can then reference these pools and groups contained within these pools to define IAM policies (see examples in the Configuring IAM step).

VPC Service Controls limitations

Workforce identity federation, workforce pool configuration APIs, and Security Token Service APIs don't support VPC Service Controls. However, Google Cloud products that workforce pool users can access support VPC Service Controls. To learn more, see VPC Service Controls's supported products and limitations page.

What's next