Stay organized with collections Save and categorize content based on your preferences.
Jump to

Workforce Identity Federation

Provide employees and your extended workforce with secure access to Google Cloud services and resources using your existing identity management solutions.

  • Authenticate and authorize workforce using an external identity provider

  • Flexible onboarding for employees, partners, and contractors to access Google Cloud

  • Uses an identity federation approach instead of directory synchronization


Easily onboard users from external identity providers

Easily onboard users to access Google Cloud from identity provider systems without the need for synchronizing identities or performing domain verification.

Attribute-based authorization for cloud resources

Supports attributes defined in external identity provider and uses the attribute information to determine the scope of user access to Google Cloud resources.

Helps address regulatory and compliance requirements

Leverages customer's existing identity investments that address compliance mandates and minimizes overhead for addressing identity regulatory requirements.

Key features

Seamless experience for users, easy access management for administrators

Syncless authentication

Workforce Identity Federation uses an identity federation approach instead of directory synchronization. 

Workforce Identity Federation workflow

Workforce identity pools

Workforce Identity Federation pools let you manage groups of workforce identities and control their access to Google Cloud resources.

Supports multiple identity protocols and providers

Supports multiple identity protocols like OpenID Connect (OIDC) or SAML 2.0 and multiple identity providers (IdPs) per identity pool including Okta, Ping Identity, Active Directory Federation Services, and Azure Active Directory.

Vmware logo

"VMware runs its own IdP and we needed a solution to allow our developers to access their Google Cloud projects. Syncing of user identities outside of our IdP is not permitted per our InfoSec policies and we deployed Workforce Identity Federation to fulfill our identity requirements. Workforce Identity Federation meets our needs with a solution that is robust and straightforward to configure."

Thiru Bhat, Director at VMware


Resources and documentation

Workforce Identity Federation overview

Get an overview of Workforce Identity Federation and how to get started using it in your Google Cloud environment.

Configuring Workforce Identity Federation

Learn how to configure Workforce Identity Federation with an external identity provider that supports OIDC or SAML 2.0.

Manage workforce identity pools and providers

A workforce identity pool provider is an entity that describes a relationship between your Google Cloud organization and your identity provider.

Products that support Workforce Identity Federation

Check out the list of Google Cloud products that support Workforce Identity Federation.

Workforce Identity Federation pool examples

See examples for creating workforce pools and how to set up your workforce pools and identity providers to access Google Cloud resources.

Use cases

Use cases

Use case
Employee sign-in and authorization

Workforce Identity Federation can enable your organization's users to access Google Cloud through the same login experience they already use for their existing IdP for single sign-on. It can enable fine-grained access through attribute mapping and attribute conditions.  Admins can configure attribute conditions to authenticate conditionally—to let only a subset of external identities authenticate to your Google Cloud project based on attributes.

Use case
Secure access for partners and vendors

Workforce Identity Federation can enable enterprises to selectively federate users from partner or vendor IdPs without requiring IT teams to sync or create a separate identity store to use Google Cloud resources. Enterprises can create a separate workforce pool for the partner or vendor’s administrator, who can then use their own IdP to grant access to their workforce.

All features

All features

Workforce identity pool Helps manage groups of workforce identities and define policies on a group of users (for example, employees or partners) that require similar access permissions.
Attribute-based access Fine-grained access through attribute mapping and attribute conditions. Attribute mapping lets you map identity attributes defined in your IdP to attributes that Google Cloud can use. Your administrators can configure Google Cloud with attribute conditions to authenticate conditionally—to let only a subset of external identities authenticate to your Google Cloud project based on attributes.
Programmatic access Allows programmatic access to Google Cloud Services and resources through API / CLI (gcloud, bq, gsutil) and client SDK supported in five languages (Node.js, Java, Python, Go, and C++).
Federated console sign-in Allows access to Google Cloud services for workforce user authentication, via cloud console. Both SAML and OpenID Connect standard based SSO flows are supported.
SAML encryption SAML token encryption enables the use of encrypted SAML assertions. When configured, Workforce Identity Federation will encrypt the SAML assertions using the public key from certificate stored in IdP.
Pluggable authentication A mechanism to integrate and introduce an alternate authentication scheme for use with Workforce Identity Federation. Allows customers to develop their own plugins to retrieve IdP token on-demand without requiring a continuous local process to be running.
Cloud audit logging Records activities in Cloud Access Logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources.
Infrastructure-as-code support Allows Workforce Identity Federation configurations to be defined in a declarative way and stored in a source control system. 



Workforce Identity Federation is free of charge.


Identity providers

Workforce Identity Federation enables user identities in third-party identity providers with direct, secure access to Google Cloud services and resources.