From 0b6e6b1b41f5e2c6f17270e51ebb4017862f967b Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Thu, 26 Mar 2026 14:28:30 +0000
Subject: [PATCH 1/3] docs: add GCP IAP to external identity providers
 documentation

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
---
 docs/docs/configuration/idp.mdx | 43 +++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/docs/docs/configuration/idp.mdx b/docs/docs/configuration/idp.mdx
index 587b4333e..84058fc9b 100644
--- a/docs/docs/configuration/idp.mdx
+++ b/docs/docs/configuration/idp.mdx
@@ -570,4 +570,47 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth
 </Steps>
 </Accordion>
 
+### Google Cloud IAP
+
+[Google Cloud IAP Documentation](https://cloud.google.com/iap/docs)
+
+Google Cloud Identity-Aware Proxy (IAP) can be used for [authentication](/docs/configuration/auth). IAP provides a layer of security for applications deployed on Google Cloud, allowing you to control access based on user identity and context.
+
+<Note>
+GCP IAP works differently from other identity providers. Instead of redirecting users to an OAuth flow, IAP intercepts requests at the infrastructure level and adds a signed JWT header that Sourcebot validates. This means users are automatically authenticated when accessing Sourcebot through an IAP-protected endpoint.
+</Note>
+
+<Accordion title="instructions">
+<Steps>
+    <Step title="Enable IAP for your application">
+        Your Sourcebot deployment must be behind Google Cloud IAP. Follow [this guide](https://cloud.google.com/iap/docs/enabling-on-premises-howto) by Google to enable IAP for your application.
+
+        After enabling IAP, note the **Signed Header JWT Audience**. You can find this in the Google Cloud Console under **Security → Identity-Aware Proxy → (your application) → Edit OAuth Client → Application settings**.
+
+        The audience will be in the format: `/projects/<project-number>/global/backendServices/<service-id>` or `/projects/<project-number>/apps/<project-id>`.
+    </Step>
+    <Step title="Define environment variables">
+        Set the IAP audience as an environment variable. This can be named whatever you like (ex. `GCP_IAP_AUDIENCE`).
+    </Step>
+    <Step title="Define the identity provider config">
+        Create a `identityProvider` object in the [config file](/docs/configuration/config-file) with the following fields:
+
+       ```json wrap icon="code"
+        {
+            "$schema": "https://raw.githubusercontent.com/sourcebot-dev/sourcebot/main/schemas/v3/index.json",
+            "identityProviders": [
+                {
+                    "provider": "gcp-iap",
+                    "purpose": "sso",
+                    "audience": {
+                        "env": "GCP_IAP_AUDIENCE"
+                    }
+                }
+            ]
+        }
+        ```
+    </Step>
+</Steps>
+</Accordion>
+
 

From bb27e6a9dd30b282e5a5a71bd184c2cf1ae9fd96 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Thu, 26 Mar 2026 23:32:40 +0000
Subject: [PATCH 2/3] docs: clarify Microsoft Entra ID is Azure AD in identity
 provider docs

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
---
 docs/docs/configuration/idp.mdx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/docs/configuration/idp.mdx b/docs/docs/configuration/idp.mdx
index 84058fc9b..22c66ff40 100644
--- a/docs/docs/configuration/idp.mdx
+++ b/docs/docs/configuration/idp.mdx
@@ -418,12 +418,16 @@ A Keycloak connection can be used for [authentication](/docs/configuration/auth)
 </Steps>
 </Accordion>
 
-### Microsoft Entra ID
+### Microsoft Entra ID (Azure AD)
 
 [Auth.js Microsoft Entra ID Provider Docs](https://authjs.dev/getting-started/providers/microsoft-entra-id)
 
 A Microsoft Entra ID connection can be used for [authentication](/docs/configuration/auth).
 
+<Info>
+Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID in 2023. If you have an existing Azure AD setup, these instructions will work for you. The underlying authentication infrastructure is the same.
+</Info>
+
 <Accordion title="instructions">
 <Steps>
     <Step title="Register an OAuth Application">

From 6aba5880fe9fc9009bb4415520123ceb44220756 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Thu, 26 Mar 2026 23:34:19 +0000
Subject: [PATCH 3/3] docs: change GCP IAP note to info card

Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>
---
 docs/docs/configuration/idp.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/docs/configuration/idp.mdx b/docs/docs/configuration/idp.mdx
index 22c66ff40..d24b4d584 100644
--- a/docs/docs/configuration/idp.mdx
+++ b/docs/docs/configuration/idp.mdx
@@ -580,9 +580,9 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth
 
 Google Cloud Identity-Aware Proxy (IAP) can be used for [authentication](/docs/configuration/auth). IAP provides a layer of security for applications deployed on Google Cloud, allowing you to control access based on user identity and context.
 
-<Note>
+<Info>
 GCP IAP works differently from other identity providers. Instead of redirecting users to an OAuth flow, IAP intercepts requests at the infrastructure level and adds a signed JWT header that Sourcebot validates. This means users are automatically authenticated when accessing Sourcebot through an IAP-protected endpoint.
-</Note>
+</Info>
 
 <Accordion title="instructions">
 <Steps>