Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to configure Identity-Aware Proxy (IAP) as an
authentication proxy.
When you configure an IAP policy to allow all users access to an
application, IAP does not check user authentication
credentials. If you want to use IAP as an authentication proxy,
and have users authenticate when accessing a resource, you must set the
IAP mode to Force_Login.
Configure IAP as an authentication proxy
To configure IAP as an authentication proxy, complete the
following steps:
Follow the IAP How-to guides
documentation to enable IAP on a resource.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Use IAP as an authentication proxy\n\nThis page describes how to configure Identity-Aware Proxy (IAP) as an\nauthentication proxy.\n\nWhen you configure an IAP policy to allow all users access to an\napplication, IAP does not check user authentication\ncredentials. If you want to use IAP as an authentication proxy,\nand have users authenticate when accessing a resource, you must set the\nIAP mode to `Force_Login`.\n\nConfigure IAP as an authentication proxy\n----------------------------------------\n\nTo configure IAP as an authentication proxy, complete the\nfollowing steps:\n\n1. Follow the IAP [How-to guides](/iap/docs/how-to)\n documentation to enable IAP on a resource.\n\n2. Go to the IAP page.\n\n\n [Go to Identity-Aware Proxy](https://console.cloud.google.com/security/iap/)\n\n3. Select a resource, and then click **Add Member**.\n\n4. Add the **IAP-secured Web App User** role to `allUsers` to make the resource\n publicly accessible.\n\n5. To have IAP authenticate users, ensure that your request to\n the application is in the following format:\n\n \u003cvar translate=\"no\"\u003eYOUR_APP_URL\u003c/var\u003e`?gcp-iap-mode=FORCE_LOGIN`\n\n This enforces authentication to all incoming requests and\n redirects the request to `YOUR_APP_URL` after successful authentication."]]
