Set up user access to the console (federated)

This guide shows you how to set up access to theGoogle Cloud Workforce Identity Federation console, also known as the console (federated), from your identity provider (IdP) andshows you how to provide access instructions to your users.

Before you begin

Configure Workforce Identity Federationin your Google Cloud organization, including aworkforce identity pool and aworkforce identity pool provider.Alternatively, if you use one of the following IdPs, see the IdP-specificguides for more information:
- Configure Microsoft Entra ID-based Workforce Identity Federation
- Configure Okta-based Workforce Identity Federation
Note your workforce identity pool provider name, which you use later in thisguide.

Note: For personalization features, such as the user's display name and photo tobe displayed correctly, you must configure attribute mapping.

Set up redirect URLs in your IdP

You can configure your IdP to post an IdP response and redirect your user to theconsole (federated) after your user authenticates. To do this, you mustconfigure a redirect URL and set it in your IdPconfiguration.

To create the redirect URL, do the following:

Share the name of the workforce identity pool provider with your users.It is formatted as follows:
```
locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
```
Replace the following:
- WORKFORCE_POOL_ID: the workforce identity pool ID.
- WORKFORCE_PROVIDER_ID: the workforce identityprovider ID.

Create the redirect URL. It is formatted as follows:

https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID

Configure your IdP with the redirect URL.
In your IdP, enter the redirect URL. The field into which you enter theURL can vary.
OIDC
In your IdP, the field might be calledRedirect URL orCallback URL.
Your IdP sends the response and name token to this URL.
SAML
In your IdP, the field might be calledSingle sign-on URL orSAML assertion consumer service (ACS) URL.
Your IdP posts the SAML assertion to this URL.
If you want to enable IdP-initiated login with your SAML provider, enter thefollowing URL in theDefault RelayState setting, or its equivalent. TheIdP redirects your user to this URL after your user successfullyauthenticates:
```
https://console.cloud.google/
```

Inform your users how to sign in

This section describes the different ways your users can sign in to theconsole (federated).

Start the sign-in process using an SSO link

To start the sign-in process with your IdP, you can share a link with your usersthat redirects them to your IdP without prompting them for the provider name.After users successfully login, they are automatically redirected to theconsole (federated).

To use this method, send the following login link to your users:

https://auth.cloud.google/signin/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID?continueUrl=https://console.cloud.google/

Start the sign-in process using the console (federated)

To start the sign-in process at the console (federated), do thefollowing:

Provide your users with your workforce identity pool provider namedescribed earlier in this document.
Provide your users with the following link to theconsole (federated):
```
https://console.cloud.google/
```

When your users first access the console (federated), they are promptedto enter the workforce identity pool provider name. They are then redirected toyour IdP to authenticate. After they authenticate, they are redirected back tothe console (federated).

Use SAML IdP-initiated sign-in

The SAML specification defines a flow calledIdP-initiated sign-in,in which users initiate the sign-in process at the IdP. If your IdP supportsthis flow, you can share the details with your users.

Use the console (federated) vs. the Google Cloud console

Theconsole (federated) provides limitedaccess to only those Google Cloud products that supportWorkforce Identity Federation. Because of this, when using theconsole (federated), you see a limited number of Google Cloudproducts, and the product UIs themselves might have further limitations whenviewed in the console (federated).

To learn more about products that support Workforce Identity Federation andrelated limitations, seeIdentity federation: supported products and limitations.

The Google Cloud console, by comparison, can provide full access to all products andfeatures, depending on roles granted to users.

What's next

Identity federation: supported products and limitations

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Set up user access to the console (federated) Stay organized with collections Save and categorize content based on your preferences.