Use IAP as an authentication proxy

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to configure Identity-Aware Proxy (IAP) as an authentication proxy.

When you configure an IAP policy to allow all users access to an application, IAP does not check user authentication credentials. If you want to use IAP as an authentication proxy, and have users authenticate when accessing a resource, you must set the IAP mode to Force_Login.

Configure IAP as an authentication proxy

To configure IAP as an authentication proxy, complete the following steps:

  1. Follow the IAP How-to guides documentation to enable IAP on a resource.

  2. Go to the IAP page.
    Go to Identity-Aware Proxy

  3. Select a resource, and then click Add Member.

  4. Add the IAP-secured Web App User role to allUsers to make the resource publicly accessible.

  5. To have IAP authenticate users, ensure that your request to the application is in the following format: target_domain + ?gcp-iap- mode=FORCE_LOGIN. This enforces authentication to all incoming requests and redirects the request to target_domain after successful authentication.