Manage IAP with Workforce Identity Federation sessions
Stay organized with collections
Save and categorize content based on your preferences.
This page provides guidance for managing Identity-Aware Proxy (IAP) with
Workforce Identity Federation sessions.
When you set up a workforce pool, you can specify the session duration
between Google Cloud and an IdP. You can specify the session
duration to be between 15 minutes and 12 hours. This setting is also the length
of the IAP session cookie. The default session duration time is
one hour.
When a session expires, the end user is redirected to third-party IdP to sign
in. If the third-party IdP session is still active, sign-in is silent.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis page details how to manage Identity-Aware Proxy (IAP) sessions in the context of Workforce Identity Federation.\u003c/p\u003e\n"],["\u003cp\u003eSession duration between Google Cloud and an IdP can be set from 15 minutes to 12 hours, which also determines the IAP session cookie length.\u003c/p\u003e\n"],["\u003cp\u003eThe default IAP session duration when using Workforce Identity Federation is one hour.\u003c/p\u003e\n"],["\u003cp\u003eExpired sessions redirect users to their third-party IdP for sign-in, and if the IdP session is active, sign-in is silent.\u003c/p\u003e\n"],["\u003cp\u003eAJAX requests can also be used to establish a session when working with Workforce Identity Federation.\u003c/p\u003e\n"]]],[],null,["# Manage IAP with Workforce Identity Federation sessions\n\nThis page provides guidance for managing Identity-Aware Proxy (IAP) with\nWorkforce Identity Federation sessions.\n\nWhen you set up a workforce pool, you can specify the session duration\nbetween Google Cloud and an IdP. You can specify the session\nduration to be between 15 minutes and 12 hours. This setting is also the length\nof the IAP session cookie. The default session duration time is\none hour.\n\nWhen a session expires, the end user is redirected to third-party IdP to sign\nin. If the third-party IdP session is still active, sign-in is silent.\n\nFor more information about setting the session duration time,\nsee [Manage workforce identity pool providers](/iam/docs/manage-workforce-identity-pools-providers).\n\nEstablish a session using an AJAX request\n-----------------------------------------\n\nWhen working with Workforce Identity Federation, you can also make AJAX\nrequests to establish a session.\nSee [AJAX requests](/iap/docs/sessions-howto#ajax_requests) for more information."]]
