Jump to

Workforce Identity Federation

Provide employees and your extended workforce with secure access to Google Cloud services and resources using your existing identity management solutions.

Get started

  • Authenticate and authorize workforce using an external identity provider

  • Flexible onboarding for employees, partners, and contractors to access Google Cloud

  • Uses an identity federation approach instead of directory synchronization

Workforce Identity Federation

VIDEO

Authenticating users with Workforce Identity Federation

4:12

Benefits

Easily onboard users from external identity providers

Easily onboard users to access Google Cloud from identity provider systems without the need for synchronizing identities or performing domain verification.

Attribute-based authorization for cloud resources

Supports attributes defined in external identity provider and uses the attribute information to determine the scope of user access to Google Cloud resources.

Helps address regulatory and compliance requirements

Leverages customer's existing identity investments that address compliance mandates and minimizes overhead for addressing identity regulatory requirements.

Key features

Seamless experience for users, easy access management for administrators

Syncless authentication

Workforce Identity Federation uses an identity federation approach instead of directory synchronization. 

Workforce Identity Federation workflow

Workforce identity pools

Workforce Identity Federation pools let you manage groups of workforce identities and control their access to Google Cloud resources.

Supports multiple identity protocols and providers

Supports multiple identity protocols like OpenID Connect (OIDC) or SAML 2.0 and multiple identity providers (IdPs) per identity pool including Okta, Ping Identity, Active Directory Federation Services, and Azure Active Directory.

Vmware logo
VMware runs its own IdP and we needed a solution to allow our developers to access their Google Cloud projects. Syncing of user identities outside of our IdP is not permitted per our InfoSec policies and we deployed Workforce Identity Federation to fulfill our identity requirements. Workforce Identity Federation meets our needs with a solution that is robust and straightforward to configure.

Thiru Bhat, Director at VMware

Documentation

Resources and documentation

Tutorial

Workforce Identity Federation overview

Get an overview of Workforce Identity Federation and how to get started using it in your Google Cloud environment.

Learn more
Tutorial

Configuring Workforce Identity Federation

Learn how to configure Workforce Identity Federation with an external identity provider that supports OIDC or SAML 2.0.

Learn more
Tutorial

Manage workforce identity pools and providers

A workforce identity pool provider is an entity that describes a relationship between your Google Cloud organization and your identity provider.

Learn more
Tutorial

Products that support Workforce Identity Federation

Check out the list of Google Cloud products that support Workforce Identity Federation.

Learn more
Tutorial

Workforce Identity Federation pool examples

See examples for creating workforce pools and how to set up your workforce pools and identity providers to access Google Cloud resources.

Learn more

Not seeing what you’re looking for?

View all product documentation

Use cases

Use cases

Use case
Employee sign-in and authorization

Workforce Identity Federation can enable your organization's users to access Google Cloud through the same login experience they already use for their existing IdP for single sign-on. It can enable fine-grained access through attribute mapping and attribute conditions.  Admins can configure attribute conditions to authenticate conditionally—to let only a subset of external identities authenticate to your Google Cloud project based on attributes.

Use case
Secure access for partners and vendors

Workforce Identity Federation can enable enterprises to selectively federate users from partner or vendor IdPs without requiring IT teams to sync or create a separate identity store to use Google Cloud resources. Enterprises can create a separate workforce pool for the partner or vendor’s administrator, who can then use their own IdP to grant access to their workforce.

View all technical guides

All features

All features

Workforce identity pool

Helps manage groups of workforce identities and define policies on a group of users (for example, employees or partners) that require similar access permissions.

Attribute-based access

Fine-grained access through attribute mapping and attribute conditions. Attribute mapping lets you map identity attributes defined in your IdP to attributes that Google Cloud can use. Your administrators can configure Google Cloud with attribute conditions to authenticate conditionally—to let only a subset of external identities authenticate to your Google Cloud project based on attributes.

Programmatic access

Allows programmatic access to Google Cloud Services and resources through API / CLI (gcloud, bq, gsutil) and client SDK supported in five languages (Node.js, Java, Python, Go, and C++).

Federated console sign-in

Allows access to Google Cloud services for workforce user authentication, via cloud console. Both SAML and OpenID Connect standard based SSO flows are supported.

SAML encryption

SAML token encryption enables the use of encrypted SAML assertions. When configured, Workforce Identity Federation will encrypt the SAML assertions using the public key from certificate stored in IdP.

Pluggable authentication

A mechanism to integrate and introduce an alternate authentication scheme for use with Workforce Identity Federation. Allows customers to develop their own plugins to retrieve IdP token on-demand without requiring a continuous local process to be running.

Cloud audit logging

Records activities in Cloud Access Logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources.

Infrastructure-as-code support

Allows Workforce Identity Federation configurations to be defined in a declarative way and stored in a source control system. 

Pricing

Pricing

Workforce Identity Federation is free of charge.

View pricing details

Partners

Identity providers

Workforce Identity Federation enables user identities in third-party identity providers with direct, secure access to Google Cloud services and resources.

  • Forgerock logo
  • Logo of ping identity company
  • Jump cloud company logo
  • Okta logo
See all partners

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Get started for free
Google Cloud
send_spark
    DocsSupport
    • ‪English‬
    • ‪Deutsch‬
    • ‪Español‬
    • ‪Español (Latinoamérica)‬
    • ‪Français‬
    • ‪Indonesia‬
    • ‪Italiano‬
    • ‪Português (Brasil)‬
    • ‪简体中文‬
    • ‪繁體中文‬
    • ‪日本語‬
    • ‪한국어‬
    Console
    Sign in
    Start free
    Contact Us
    • Accelerate your digital transformation
    • Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.
    • Google Cloud products
    • Browse over 100 products. New customers get $300 in free credits to run, test, and deploy workloads. All customers can use 25+ products for free, up to monthly usage limits.
    • Save money with our transparent approach to pricing
    • Google Cloud's pay-as-you-go pricing offers automatic savings based on monthly usage and discounted rates for prepaid resources. Contact us today to get a quote.
    Google Cloud