This article describes the customization options available to Identity-Aware Proxy (IAP). Using various settings, you can control:
- Compatibility with Anthos and Istio on Google Kubernetes Engine.
- The handling of CORS preflight requests.
- How users are authenticated.
IAP provides the following customization settings:
||Control HTTP OPTIONS (CORS preflight).|
||Simplify login for users from a single domain.|
||Issue Istio-compatible RCTokens|
||Use Identity Platform for authentication.|
You can apply settings at the project level, or at any lower IAP resource level.
Settings are only available for web-based IAP resources, not IAP for TCP forwarding.
The sections below provide more information on each setting.
Allowing HTTP OPTIONS (CORS preflight)
In some cases,
browsers will automatically try a request, but discard the content of the
response if it doesn't include an
Access-Control-Allow-Origin header. To allow
these types of requests, include this header in your app's responses.
In other cases, the browser will send a
CORS preflight request,
a type of HTTP
OPTIONS request, before sending the cross-origin request. If
your app doesn't response with an appropriate preflight response (containing the
Access-Control-* response headers), the browser will block the
request with an error. Additionally, since preflight requests aren't sent with
any authentication credentials (such as a IAP session
cookie), IAP will also respond with an error.
To allow these requests:
Add code to your app that responds to the
Change the setting
trueso that IAP passes
OPTIONSrequests through to your application.
Authenticating using a G Suite domain
If only members of a specific G Suite domain will use your app, you can configure IAP to optimize the authentication flow. This has several benefits:
If a user is signed in with multiple accounts (such as work account and a personal account), the system will automatically select their work account instead of displaying the account selection UI.
If a user isn't signed into their Google account, the sign-in UI will automatically fill the domain portion of their email address (meaning the user only needs to type
email@example.com, for example).
If your G Suite domain is configured to use a third-party single sign-on provider, the system will show that custom sign-in page instead of Google's.
To enable this behavior, set the value of
access_settings.oauth_settings.login_hint to your G Suite
domain name (such as
In general, enabling this setting will prevent users who aren't in the specified G Suite domain from connecting to your application. You can use programmatic authentication if you need to authenticate users outside the domain.
For more information, see the OpenID Connect documentation.
Issuing Anthos and Istio RCToken mesh IDs
If you're using Istio on
GKE, you can configure
IAP to produce an Istio-compatible RCToken. If this field is
set to a non-empty string, IAP will add an
Ingress-Authorization HTTP header containing an RCToken. The
will be set to the value of the field.
Authenticating with Identity Platform
By default, IAP uses Google's native identity system. If this field is set, IAP will use Identity Platform instead to authenticate users.
Settings inheritance in the resource hierarchy
IAP always evaluates requests for a specific web service version. This type of resource is at the lowest level of the resource hierarchy, which looks like this:
- Organization - Folder - Project - All web services - Web service type - Web service - Web service version
To determine the settings to apply for a web service version,
IAP starts with a default set of values, and then
walks the hierarchy from top to bottom. Settings are applied as they are found,
so values set at a lower level overrides values set at a higher level.
For example, if
access_settings.cors_settings.allow_http_options is set to
true at the project level, but
false at the service level, then effective
value will be
See Resources and permissions to learn more about the IAP resource hierarchy.
Access control for settings
Specific permissions are required to view and modify IAP settings. The table below lists the permissions required to read and modify settings for each resource type. See Resources and permissions for a description of the different resource types.
|Resource||Permission for viewing settings||Permission for modifying settings|
|All web services||
|Web service type||
|Web Service version||
The IAP Settings Admin (
roles/iap.settingsAdmin) role grants all of these
permissions, as does Project Editor (
roles/editor). Project Viewer
roles/viewer) grants all
To learn more about granting Cloud IAM roles, see Granting, changing, and revoking access.
You can view and update settings using the IAP API. Combine
:iapSettings path suffix, a resource path (as detailed in
Resources and permissions),
and an appropriate HTTP method to get or modify a setting.
Configuring settings using the Cloud Console or
command-line tool is not currently supported.
For instance, a
GET request to the following URL returns the settings for
a resource in a Google Cloud project, while a
PATCH request updates its
To get or update settings for a folder or organization: