This page describes the ways that you can configure identities for users in yourorganization so that they can access Google Cloud. It doesn't discuss theidentities that your customers use to authenticate to your application. To learnabout how to authenticate customers to your application, see theIdentity Platformdocumentation, which discusses customer identity and accessmanagement (CIAM).

For users to access Google Cloud, they need an identity that Google Cloudcan recognize. There are several ways to configure identities so thatGoogle Cloud can recognize them:

• CreateCloud Identity or Google Workspace accounts
• Set up one of the following federated identity strategies:
  • Federation using Cloud Identity or Google Workspace
  • Workforce Identity Federation

Cloud Identity or Google Workspace accounts

You can use Cloud Identity or Google Workspace to createmanaged user accounts. These accounts are calledmanaged accounts because you control their lifecycle and configuration. Userswith these accounts can authenticate to Google Cloud and be authorized touse Google Cloud resources.

Cloud Identity and Google Workspace share a common technicalplatform. Both products offer similar features for managingusers, groups, and authentication.

Only Cloud Identity or Google Workspace managed Super Adminaccounts can invite users with unmanagedconsumer accountsto transfer their consumer accounts to managed accounts.

To get started with Cloud Identity or Google Workspace, you cando the following:

• To learn more about using Cloud Identity andGoogle Workspace to create identities for your users, seeGoogle for organizations.
• Learn how toset up Cloud Identity.
• Learn how toset up Google Workspace.

Federated user identities

You can federate identities to allow users to use their existing identity andcredentials to sign in to Google services. There are several methods tofederate identities in Google Cloud.

Federation using Cloud Identity or Google Workspace

When you federate identities with Cloud Identity orGoogle Workspace, users aren't prompted to enter a password when theytry to access Google services. Instead, you can redirect them to anexternalidentity provider (IdP) to authenticate.

To use this type of identity federation, a user must have anexternalidentity in the external IdP and a corresponding Google Account inCloud Identity or Google Workspace, typically with the sameemail address. You can keep these accounts synchronized by using a tool likeGoogle Cloud Directory Sync (GCDS) or by provisioningaccounts using anexternal authoritativesource. For example, you could set up accountprovisioning withMicrosoft Entra ID orActive Directory.

To learn more about federation using Cloud Identity orGoogle Workspace, seeSingle sign-on.

Workforce Identity Federation

Workforce Identity Federation lets you use an external identity provider (IdP)to authenticate and authorize a workforce—a group ofusers, such as employees,partners, and contractors—using IAM, so that the users canaccess Google Cloud services. With Workforce Identity Federation you don'tneed to synchronize user identities from your existing IdP to Google Cloudidentities, as you would with Cloud Identity'sGoogle Cloud Directory Sync(GCDS).Workforce Identity Federation extends Google Cloud's identitycapabilities to support syncless, attribute-based single sign-on.

To learn more about Workforce Identity Federation, seeWorkforce Identity Federation overview.

What's next

• Learn about the ways toauthenticate to Google APIs with usercredentials.
• Learn how togrant users access to resources.