Customize IAP

This document describes how to customize Identity-Aware Proxy (IAP) settings. With these settings, you can control behaviors including:

• Compatibility with GKE Enterprise and Istio on Google Kubernetes Engine.
• The handling of CORS preflight requests.
• How users are authenticated.
• The error page shown to users when access is denied.

Manage settings

You can view and update IAP settings on load balancer and App Engine apps using the Google Cloud console, the IAP API, or the Google Cloud CLI.

To update IAP settings on all resources, including folders, projects, and organizations, use the Google Cloud CLI or API.

To manage settings in IAP:

gcloud iap settings get --project=PROJECT-ID

gcloud iap settings get --folder=FOLDER-ID

gcloud iap settings get --organization=ORGANIZATION-ID

gcloud iap settings get --project=PROJECT-ID \
  --resource-type=RESOURCE-TYPE-NAME

gcloud iap settings set SETTING_FILE --project=PROJECT-ID \
  --resource-type=RESOURCE-TYPE-NAME

https://iap.googleapis.com/v1/projects/PROJECT-ID/iap_web/appengine-APP-ID/services/SERVICE-ID/versions/VERSION-ID:iapSettings

https://iap.googleapis.com/v1/projects/PROJECT-ID:iapSettings

https://iap.googleapis.com/v1/folders/FOLDER-ID:iapSettings

https://iap.googleapis.com/v1/organizations/ORGANIZATION-ID:iapSettings

IAP settings roles and permissions

This section describes the roles and permissions that are required to view and update IAP settings.

Settings roles

You can grant the IAP Settings Admin (roles/iap.settingsAdmin) role at the organization, folder, and project level. To see the permissions that the IAP Settings Admin role grants, see Settings permissions.

To learn more about roles and permissions for IAP, see Identity-Aware Proxy roles and permissions.

The following basic roles provide these permissions:

• The Project Viewer (roles/viewer) role grants all getSettings permissions.

• The Editor (roles/editor) role grants all of the permissions that are described in the table.

Settings permissions

The following table lists the IAM permissions that are required to read and modify settings for each resource type. For a description of the different resource types, see Resources and permissions.

To learn more about granting IAM roles, see Granting, changing, and revoking access.

Customize IAP settings

IAP provides the following customization settings:

You can apply settings at the project level, or at any lower IAP resource level.

You can configure settings for web-based IAP resources but not resources accessed with IAP for TCP forwarding.

Using access_settings.cors_settings.allow_http_options as an example, you can configure customization settings as follows:

access_settings:
  cors_settings:
    allow_http_options: "false"

{
  "access_settings": {
    "cors_settings": {
      "allow_http_options": "false"
    }
  }
}

The following sections provide more information on each setting.

Allow HTTP OPTIONS requests (CORS preflight)

The web's same-origin policy blocks browsers from sending AJAX requests between websites. By default, JavaScript on a page served from one origin can't use AJAX to send a request to an app secured with IAP hosted on a different origin.

In some cases, browsers will automatically try a request, but discard the content of the response if it doesn't include an Access-Control-Allow-Origin header. To allow these types of requests, include this header in your app's responses.

In other cases, the browser will send a CORS preflight request, a type of HTTP OPTIONS request, before sending the cross-origin request. If your app doesn't respond with an appropriate preflight response (containing the required Access-Control-* response headers), the browser will block the request with an error. Additionally, since preflight requests aren't sent with any authentication credentials (such as a IAP session cookie), IAP will also respond with an error.

To allow these requests:

1. Add code to your app that responds to the OPTIONS requests.

2. Change the setting access_settings.cors_settings.allow_http_options to true so that IAP passes OPTIONS requests through to your application.

Authenticate using a Google Workspace domain

If only members of a specific Google Workspace domain will use your app, you can configure IAP to optimize the authentication flow. This has several benefits:

• If a user is signed in with multiple accounts (such as work account and a personal account), the system will automatically select their work account instead of displaying the account selection UI.

• If a user isn't signed into their Google Account, the sign-in UI will automatically fill the domain portion of their email address (meaning the user only needs to type alice instead of alice@example.com, for example).

• If your Google Workspace domain is configured to use a third-party single sign-on provider, the system will show that custom sign-in page instead of Google's.

To enable this behavior, set the value of access_settings.oauth_settings.login_hint to your Google Workspace domain name (such as example.com). Domain ownership must have been verified: you cannot use arbitrary internet DNS domains that you own. (Domains that have been added as a Google Workspace primary or secondary domain are verified and thus can be used here.)

If you need to authenticate users outside the domain, you can use programmatic authentication.

For more information, see the OpenID Connect documentation.

Set a custom access denied error page

You can set a URL in this field that redirects users to a custom page instead of the default IAP error page whenever access is denied by a policy.

You can also embed the troubleshooting URL with this feature. For more information, see Enabling the troubleshooting URL for your custom Access Denied error page.

Issue GKE Enterprise and Istio RCToken mesh IDs

If you're using Istio on GKE, you can configure IAP to produce an Istio-compatible RCToken. If this field is set to a non-empty string, IAP will add an Ingress-Authorization HTTP header containing an RCToken. The aud claim will be set to the value of the field.

Authenticate with Identity Platform

By default, IAP uses Google's built-in identity system. If this field is set, IAP will use Identity Platform instead to authenticate users.

Understand settings inheritance in the resource hierarchy

IAP always evaluates requests for a specific web service version. This type of resource is at the lowest level of the resource hierarchy, which looks like this:

- Organization
  - Folder
    - Project
      - All web services
        - Web service type
          - Web service
            - Web service version

To determine the settings to apply for a web service version, IAP starts with a default set of values, and then walks the hierarchy from top to bottom. Settings are applied as they are found, so values set at a lower level override values set at a higher level. For example, if access_settings.cors_settings.allow_http_options is set to true at the project level, but false at the service level, then effective value will be false.

See Resources and permissions to learn more about the IAP resource hierarchy.