Stay organized with collections
Save and categorize content based on your preferences.
This article shows you how to configure Identity-Aware Proxy
(IAP) to use external identities. By combining
IAP and Identity Platform, you can authenticate users with a
wide range of identity providers (such as OAuth, SAML, OIDC, and more),
instead of just Google accounts.
Enabling and configuring Identity Platform
IAP uses Identity Platform to authenticate external identities.
See the Quickstart for Identity Platform
to learn how to enable it.
If you want to utilize multiple tenants, you'll also need to follow the steps in
Getting started with multi-tenancy.
If you don't need to isolate resources, you can skip this step and configure
all your providers at the project level. Consult the
overview on external identities if you're unsure if you
should turn on multi-tenancy.
Finally, you'll need to enable providers. The
quickstart shows how to use simple
username and password authentication, but Identity Platform supports a wide
range of provider types, including:
Email and password
OAuth (such as Google, Facebook, Twitter, and more)
SAML
OIDC
Phone number
Anonymous
See the rest of the Identity Platform documentation
to learn how to configure other providers. Note that phone number and anonymous
authentication are not supported for use with multi-tenancy.
Passwordless sign-in using an email link is not supported with
IAP.
Enabling IAP to use external identities
Once you've set up Identity Platform, you can configure IAP
to use it for authentication.
Select the same project that you configured Identity Platform with. Using
different projects is not supported.
Select the Applications tab.
Locate the service you want to restrict access to by using
IAP.
Toggle the switch in the IAP column to On.
In the side panel, click Start in the box labeled
Use external identities for authorization.
Confirm your selection.
In the Identity Platform side panel:
Choose whether to build your own sign-in page, or have
IAP create one for you.
Letting IAP create the sign-in page is the fastest
way to get started. You don't need to deploy additional services or
write any new code, and can specify minor customizations using JSON.
See Hosting an authentication UI on Cloud Run
to learn more.
If you chose to build your own UI, enter an Authentication URL.
IAP will redirect unauthenticated requests it
receives to this URL.
Including your API key in the URL is optional. If you don't provide a
key, the Google Cloud console will append your default key
automatically.
Select whether to use project providers or tenants.
Check the boxes of the providers or tenants to enable. Select
Configure providers if you need to modify your providers or tenants.
Click Save.
Congratulations! IAP is configured to authenticate users
with external identities.
Switching back to Google identities
You cannot use IAM for authorization when using external
identities. If you want to switch back to Google identities so you can
leverage IAM, follow these steps:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis guide outlines how to configure Identity-Aware Proxy (IAP) to authenticate users using external identity providers like OAuth, SAML, OIDC, and others, beyond just Google accounts, by integrating with Identity Platform.\u003c/p\u003e\n"],["\u003cp\u003eIdentity Platform must be enabled and configured in the same project as IAP, and multi-tenancy setup may be necessary for resource isolation, depending on specific requirements.\u003c/p\u003e\n"],["\u003cp\u003eOnce Identity Platform is set up, IAP can be enabled for external identity authentication through the Google Cloud console, allowing users to choose between using a default IAP sign-in page or building a custom one.\u003c/p\u003e\n"],["\u003cp\u003eUsers can choose to use project providers or tenants and select which providers or tenants to enable within the IAP configuration settings to tailor the authentication experience.\u003c/p\u003e\n"],["\u003cp\u003eSwitching back from external identities to Google identities for IAP authentication is possible, but note that doing so will clear the authentication URL and any project or tenants settings.\u003c/p\u003e\n"]]],[],null,["# Enabling external identities\n\nThis article shows you how to configure Identity-Aware Proxy\n(IAP) to use external identities. By combining\nIAP and Identity Platform, you can authenticate users with a\nwide range of identity providers (such as OAuth, SAML, OIDC, and more),\ninstead of just Google accounts.\n\nEnabling and configuring Identity Platform\n------------------------------------------\n\nIAP uses Identity Platform to authenticate external identities.\nSee the [Quickstart for Identity Platform](/identity-platform/docs/quickstart-cicp)\nto learn how to enable it.\n\nIf you want to utilize multiple tenants, you'll also need to follow the steps in\n[Getting started with multi-tenancy](/identity-platform/docs/multi-tenancy-quickstart).\nIf you don't need to isolate resources, you can skip this step and configure\nall your providers at the project level. Consult the\n[overview on external identities](/iap/docs/external-identities) if you're unsure if you\nshould turn on multi-tenancy.\n\nFinally, you'll need to enable providers. The\n[quickstart](/identity-platform/docs/quickstart-cicp) shows how to use simple\nusername and password authentication, but Identity Platform supports a wide\nrange of provider types, including:\n\n- Email and password\n- OAuth (such as Google, Facebook, Twitter, and more)\n- SAML\n- OIDC\n- Phone number\n- Anonymous\n\nSee the rest of the [Identity Platform documentation](/identity-platform/docs)\nto learn how to configure other providers. Note that phone number and anonymous\nauthentication are not supported for use with multi-tenancy.\nPasswordless sign-in using an email link is not supported with\nIAP.\n\nEnabling IAP to use external identities\n---------------------------------------\n\nOnce you've set up Identity Platform, you can configure IAP\nto use it for authentication.\n\n1. Open the IAP page in the Google Cloud console. \n\n [Open the IAP page](https://console.cloud.google.com/security/iap)\n\n2. Select the same project that you configured Identity Platform with. Using\n different projects is not supported.\n\n3. Select the **Applications** tab.\n\n4. Locate the service you want to restrict access to by using\n IAP.\n\n5. Toggle the switch in the IAP column to **On**.\n\n6. In the side panel, click **Start** in the box labeled\n **Use external identities for authorization**.\n\n7. Confirm your selection.\n\n8. In the Identity Platform side panel:\n\n 1. Choose whether to build your own sign-in page, or have\n IAP create one for you.\n\n Letting IAP create the sign-in page is the fastest\n way to get started. You don't need to deploy additional services or\n write any new code, and can specify minor customizations using JSON.\n See [Hosting an authentication UI on Cloud Run](/iap/docs/cloud-run-sign-in)\n to learn more.\n\n **Domain restricted sharing:**\n If the project is subject to the [domain restricted sharing constraint in\n an organization policy](/resource-manager/docs/organization-policy/restricting-domains),\n you will be unable to create public services by\n default. You can use [tags](/run/docs/configuring/tags)\n and a conditional policy to exempt specific services from this constraint.\n For more information, see the blog post about\n [creating public Cloud Run services](https://cloud.google.com/blog/topics/developers-practitioners/how-create-public-cloud-run-services-when-domain-restricted-sharing-enforced)\n when domain restricted sharing is enforced.\n\n Building your own page is more complex, but gives you full control of\n the authentication flow and experience. See\n [Creating an authentication UI with FirebaseUI](/iap/docs/using-firebaseui) and\n [Creating a custom authentication UI](/iap/docs/create-custom-auth-ui)\n for more information.\n 2. If you chose to build your own UI, enter an **Authentication URL**.\n IAP will redirect unauthenticated requests it\n receives to this URL.\n\n Including your API key in the URL is optional. If you don't provide a\n key, the Google Cloud console will append your default key\n automatically.\n 3. Select whether to use **project providers** or **tenants**.\n\n 4. Check the boxes of the providers or tenants to enable. Select\n **Configure providers** if you need to modify your providers or tenants.\n\n9. Click **Save**.\n\nCongratulations! IAP is configured to authenticate users\nwith external identities.\n\nSwitching back to Google identities\n-----------------------------------\n\nYou cannot use IAM for authorization when using external\nidentities. If you want to switch back to Google identities so you can\nleverage IAM, follow these steps:\n\n1. Return to the IAP page in the Google Cloud console. \n\n [Open the IAP page](https://console.cloud.google.com/security/iap)\n\n2. Select the resource configured to use IAP.\n\n3. Open the Identity Platform information panel.\n\n4. Select **Use IAM to manage this resource**.\n\nNote that switching back to Google identities will clear your authentication URL\nand associated project and tenants.\n\nWhat's next\n-----------\n\n- [Host a sign-in page on Cloud Run](/iap/docs/cloud-run-sign-in).\n- [Create a sign-in page with FirebaseUI](/iap/docs/using-firebaseui).\n- [Create a custom sign-in page](/iap/docs/create-custom-auth-ui).\n- Gain a deeper understanding of how [external identities work with IAP](/iap/docs/external-identities)."]]
