--- title: "Onboarding GCP-WIF application" slug: "onboarding-gcp-wif-app" updated: 2026-04-15T04:57:52Z published: 2026-04-29T10:51:57Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.britive.com/llms.txt > Use this file to discover all available pages before exploring further. # Onboarding GCP-WIF application Perform the following steps for adding a GCP-WIF tenant application to Britive: Before onboarding the application, ensure that you have completed the prerequisites mentioned in the section [Prerequisites for GCP onboarding](/v1/docs/prerequisites-1). 1. Log in to Britive with administrator privileges. 2. Click **System admin** -> **Tenant Applications**. 3. Click on **Create Application**. 4. On the **Add Application** page, click the **Add (+)** sign inline to the *GCP WIF* application. 5. In the **Application** tab, enter the following values: 1. Enter the **Application Name**. 2. Enter the **Application Description**, if required. 3. Under **Account Mapping**, you can choose the username or email mapping to map the username or user email with the GCP account, respectively. You can also choose the default setting, **No mapping**, as per your requirement. 6. Click **Next**. The **Settings** tab is displayed. 7. In the **Settings** tab, enter the following values. - Check the **Console** in the **Credential Type**. - (Optional) Select **Programmatic Access** as the **Credential Type** if CLI credentials need to be generated during profile checkout. - Check the **Display programmatic access keys** to allow the user to copy the credentials to the clipboard after they check out programmatic access profiles. Users can only access the keys through CLI or scripts if the option is not selected. - Enter the following details in the **Connection Properties**: 1. **The Organizations Unique Identifier**: The organization's unique identifier of your Google domain. 2. **Workload Identity Pool ID**: ID of the Workload Identity Pool created in Google Cloud IAM. This identifies the federation pool that allows external identities to authenticate and exchange tokens for Google credentials. 3. **Workload Identity Provider ID**: ID of the Workload Identity Provider within the selected pool. This provider defines how external identities (e.g., OIDC, AWS, Azure, and CI/CD systems) authenticate and obtain tokens through Workload Identity Federation. 4. **Connected Service Account Email**: Email address of the Google Cloud service account that is connected to the Workload Identity Provider. This service account is impersonated by external identities after successful federation. 5. **Project Number For Connected Service Account**: Numeric project number of the Google Cloud project where the connected service account resides. This is used to construct the Workload Identity Federation audience and resource paths. (To get the project number for connected service account, go to **IAM & Admin** → **Settings**, and select the project in which the service account was created from the selector on the top.) 6. (Optional) **Project ID for creating Service Accounts**: Project ID where temporary service accounts (CLI credentials) need to be created. - Enter the following details in the **SSO Settings** section: 1. Check **Enable SSO** to enable SSO. 2. Replace {domain} with the primary domain from Google Workspace in the **Audience** field. 3. Replace {domain} with the primary domain from Google Workspace in the **ACS URL** field. - Enter the following details in the **Account Mapping** section: 1. Select **Use another domain for account mapping** if the email domain of Britive users is different from the primary domain in Google Workspace. 2. Enter the domain of the Britive Users in the **Email Domain of Britive Users** field. 3. Enter the domain from Google Workspace in the **Primary Domain in Google Workspace** field. - Select one of the following from the **Scan Options**: - **Scan all folders and projects**: Select this option if Britive needs to scan all folders and projects at the organization level. - **Scan projects only**: Select this option if Britive should scan a subset of projects to which it has been granted access. Note: Either option, **Scan all folders** and projects or **Scan projects only,** has to be selected. - **Exclude projects from scan**: Enter comma-separated patterns for project names. For example: project,sheet. All projects containing the pattern are not collected during the scan. - **Include projects in scan**: Enter comma-separated patterns for project names. For example: project,sheet. All projects containing the pattern are collected during the scan. Also, the inclusion filter takes precedence over the exclusion one above. - **Profile Settings**: Configure the maximum session duration for profiles. You can select the duration between 15 minutes and 7 calendar days. This allows you to set up an expiration duration for each profile while creating/updating the profile up to this configured value. If existing profiles are created with more than 12 hours and the above setting is changed, then it cannot be lowered until all profiles are updated with a lower expiration duration. 8. Click **Save and Test**. If the GCP application is configured with the correct values, then a success message is displayed.