This article describes the customization options available to Identity-Aware Proxy (IAP). Using various settings, you can control:
- Compatibility with Anthos and Istio on Google Kubernetes Engine.
- The handling of CORS preflight requests.
- How users are authenticated.
- The error page shown to users when access is denied.
IAP provides the following customization settings:
||Control HTTP OPTIONS (CORS preflight)|
||Simplify login for users of a G Suite domain|
||Show a custom error page when access is denied|
||Issue Anthos and Istio RCTokens|
||Authenticate with Identity Platform|
You can apply settings at the project level, or at any lower IAP resource level.
Settings are only available for web-based IAP resources, not IAP for TCP forwarding.
The sections below provide more information on each setting.
Allowing HTTP OPTIONS (CORS preflight)
In some cases,
browsers will automatically try a request, but discard the content of the
response if it doesn't include an
Access-Control-Allow-Origin header. To allow
these types of requests, include this header in your app's responses.
In other cases, the browser will send a
CORS preflight request,
a type of HTTP
OPTIONS request, before sending the cross-origin request. If
your app doesn't response with an appropriate preflight response (containing the
Access-Control-* response headers), the browser will block the
request with an error. Additionally, since preflight requests aren't sent with
any authentication credentials (such as a IAP session
cookie), IAP will also respond with an error.
To allow these requests:
Add code to your app that responds to the
Change the setting
trueso that IAP passes
OPTIONSrequests through to your application.
Authenticating using a G Suite domain
If only members of a specific G Suite domain will use your app, you can configure IAP to optimize the authentication flow. This has several benefits:
If a user is signed in with multiple accounts (such as work account and a personal account), the system will automatically select their work account instead of displaying the account selection UI.
If a user isn't signed into their Google account, the sign-in UI will automatically fill the domain portion of their email address (meaning the user only needs to type
firstname.lastname@example.org, for example).
If your G Suite domain is configured to use a third-party single sign-on provider, the system will show that custom sign-in page instead of Google's.
To enable this behavior, set the value of
access_settings.oauth_settings.login_hint to your G Suite
domain name (such as
In general, enabling this setting will prevent users who aren't in the specified G Suite domain from connecting to your application. You can use programmatic authentication if you need to authenticate users outside the domain.
For more information, see the OpenID Connect documentation.
Redirecting to a custom "access denied" error page
You can set a URL in this field that redirects users to a custom page instead of the default IAP error page whenever access is denied by a policy.
Issuing Anthos and Istio RCToken mesh IDs
If you're using Istio on
GKE, you can configure
IAP to produce an Istio-compatible RCToken. If this field is
set to a non-empty string, IAP will add an
Ingress-Authorization HTTP header containing an RCToken. The
will be set to the value of the field.
Authenticating with Identity Platform
By default, IAP uses Google's native identity system. If this field is set, IAP will use Identity Platform instead to authenticate users.
Settings inheritance in the resource hierarchy
IAP always evaluates requests for a specific web service version. This type of resource is at the lowest level of the resource hierarchy, which looks like this:
- Organization - Folder - Project - All web services - Web service type - Web service - Web service version
To determine the settings to apply for a web service version,
IAP starts with a default set of values, and then
walks the hierarchy from top to bottom. Settings are applied as they are found,
so values set at a lower level overrides values set at a higher level.
For example, if
access_settings.cors_settings.allow_http_options is set to
true at the project level, but
false at the service level, then effective
value will be
See Resources and permissions to learn more about the IAP resource hierarchy.
Access control for settings
Specific permissions are required to view and modify IAP settings. The table below lists the permissions required to read and modify settings for each resource type. See Resources and permissions for a description of the different resource types.
|Resource||Permission for viewing settings||Permission for modifying settings|
|All web services||
|Web service type||
|Web Service version||
The IAP Settings Admin (
roles/iap.settingsAdmin) role grants all of these
permissions, as does Project Editor (
roles/editor). Project Viewer
roles/viewer) grants all
To learn more about granting Cloud IAM roles, see Granting, changing, and revoking access.
You can view and update settings using the Cloud Console, the
IAP API, or the
gcloud command-line tool.
To manage settings in IAP:
To view and modify settings using the Cloud Console:
- To get settings for a project, folder, or organization, use the following
commands. See the
gcloud iap settings gettopic for more information::
gcloud iap settings get --project=PROJECT-ID
gcloud iap settings get --folder=FOLDER-ID
gcloud iap settings get --organization=ORGANIZATION-ID
- To get settings for a specific IAP resource type under a project:
gcloud iap settings get --project=PROJECT-ID \ --resource-type=RESOURCE-TYPE-NAME
- To set settings for a project, folder, or organization, or an
IAP resource type under a project, create a JSON or
YAML file that contains the desired new settings and specify the path to
the file. See the
gcloud iap settings settopic for more information:
gcloud iap settings set SETTING_FILE --project=PROJECT-ID \ --resource-type=RESOURCE-TYPE-NAME
To get and modify settings using the IAP API, make
requests using either the
PATCH HTTP verbs to the desired
resource endpoint in Google Cloud. Combine the
suffix, a resource path (as detailed in
Resources and permissions),
and an appropriate HTTP method to get or modify a setting. See
for more information:
- To get or set settings for a specific IAP resource type under a project:
- To get or set settings for a project:
- To get or set settings for a folder:
- To get or set settings for an organization: