Add warning notes for field loginHint and gcipSettings in IAP Setting…

…s. (GoogleCloudPlatform#12678)
karolgorc · Jan 6, 2025 · c6cb3e6 · c6cb3e6
1 parent 143eb5b
commit c6cb3e6
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/mmv1/products/iap/Settings.yaml b/mmv1/products/iap/Settings.yaml
@@ -74,6 +74,7 @@ properties:
         type: NestedObject
         description: |
           GCIP claims and endpoint configurations for 3p identity providers.
+          * Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application.
         properties:
           - name: 'tenantIds'
             type: Array
@@ -114,6 +115,7 @@ properties:
               (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
               Note: IAP does not verify that the id token's hd claim matches this value
               since access behavior is managed by IAM policies.
+              * loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.
           - name: 'programmaticClients'
             type: Array
             description: |