Workforce Identity Federation
Provide employees and your extended workforce with secure access to Google Cloud services and resources using your existing identity management solutions.
Authenticate and authorize workforce using an external identity provider
Flexible onboarding for employees, partners, and contractors to access Google Cloud
Uses an identity federation approach instead of directory synchronization
Easily onboard users from external identity providers
Easily onboard users to access Google Cloud from identity provider systems without the need for synchronizing identities or performing domain verification.
Attribute-based authorization for cloud resources
Supports attributes defined in external identity provider and uses the attribute information to determine the scope of user access to Google Cloud resources.
Helps address regulatory and compliance requirements
Leverages customer's existing identity investments that address compliance mandates and minimizes overhead for addressing identity regulatory requirements.
Seamless experience for users, easy access management for administrators
Workforce Identity Federation uses an identity federation approach instead of directory synchronization.
Workforce identity pools
Workforce Identity Federation pools let you manage groups of workforce identities and control their access to Google Cloud resources.
Supports multiple identity protocols and providers
Supports multiple identity protocols like OpenID Connect (OIDC) or SAML 2.0 and multiple identity providers (IdPs) per identity pool including Okta, Ping Identity, Active Directory Federation Services, and Azure Active Directory.
"VMware runs its own IdP and we needed a solution to allow our developers to access their Google Cloud projects. Syncing of user identities outside of our IdP is not permitted per our InfoSec policies and we deployed Workforce Identity Federation to fulfill our identity requirements. Workforce Identity Federation meets our needs with a solution that is robust and straightforward to configure."
Thiru Bhat, Director at VMware
Resources and documentation
Workforce Identity Federation overview
Get an overview of Workforce Identity Federation and how to get started using it in your Google Cloud environment.
Configuring Workforce Identity Federation
Learn how to configure Workforce Identity Federation with an external identity provider that supports OIDC or SAML 2.0.
Manage workforce identity pools and providers
A workforce identity pool provider is an entity that describes a relationship between your Google Cloud organization and your identity provider.
Products that support Workforce Identity Federation
Check out the list of Google Cloud products that support Workforce Identity Federation.
Workforce Identity Federation pool examples
See examples for creating workforce pools and how to set up your workforce pools and identity providers to access Google Cloud resources.
Workforce Identity Federation can enable your organization's users to access Google Cloud through the same login experience they already use for their existing IdP for single sign-on. It can enable fine-grained access through attribute mapping and attribute conditions. Admins can configure attribute conditions to authenticate conditionally—to let only a subset of external identities authenticate to your Google Cloud project based on attributes.
Workforce Identity Federation can enable enterprises to selectively federate users from partner or vendor IdPs without requiring IT teams to sync or create a separate identity store to use Google Cloud resources. Enterprises can create a separate workforce pool for the partner or vendor’s administrator, who can then use their own IdP to grant access to their workforce.
|Workforce identity pool||Helps manage groups of workforce identities and define policies on a group of users (for example, employees or partners) that require similar access permissions.|
|Attribute-based access||Fine-grained access through attribute mapping and attribute conditions. Attribute mapping lets you map identity attributes defined in your IdP to attributes that Google Cloud can use. Your administrators can configure Google Cloud with attribute conditions to authenticate conditionally—to let only a subset of external identities authenticate to your Google Cloud project based on attributes.|
|Programmatic access||Allows programmatic access to Google Cloud Services and resources through API / CLI (gcloud, bq, gsutil) and client SDK supported in five languages (Node.js, Java, Python, Go, and C++).|
|Federated console sign-in||Allows access to Google Cloud services for workforce user authentication, via cloud console. Both SAML and OpenID Connect standard based SSO flows are supported.|
|SAML encryption||SAML token encryption enables the use of encrypted SAML assertions. When configured, Workforce Identity Federation will encrypt the SAML assertions using the public key from certificate stored in IdP.|
|Pluggable authentication||A mechanism to integrate and introduce an alternate authentication scheme for use with Workforce Identity Federation. Allows customers to develop their own plugins to retrieve IdP token on-demand without requiring a continuous local process to be running.|
|Cloud audit logging||Records activities in Cloud Access Logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources.|
|Infrastructure-as-code support||Allows Workforce Identity Federation configurations to be defined in a declarative way and stored in a source control system.|
Workforce Identity Federation is free of charge.
Workforce Identity Federation is free of charge.