This page describes how to configure Identity-Aware Proxy (IAP) as an authentication proxy.
When you configure an IAP policy to allow all users access to an
application, IAP does not check user authentication
credentials. If you want to use IAP as an authentication proxy,
and have users authenticate when accessing a resource, you must set the
IAP mode to Force_Login.
Configure IAP as an authentication proxy
To configure IAP as an authentication proxy, complete the following steps:
Follow the IAP How-to guides documentation to enable IAP on a resource.
Go to the IAP page.
Go to Identity-Aware ProxySelect a resource, and then click Add Member.
Add the IAP-secured Web App User role to
allUsersto make the resource publicly accessible.To have IAP authenticate users, ensure that your request to the application is in the following format:
YOUR_APP_URL?gcp-iap-mode=FORCE_LOGINThis enforces authentication to all incoming requests and redirects the request to
YOUR_APP_URLafter successful authentication.