NotebookLM Enterprise supports Workforce Federation for UI access

Google Cloud Build with AI AI Solutions
1

We are integrating NotebookLM Enterprise with Microsoft Entra ID using Google Workforce Identity Federation (SAML-based federation).

Current status:

  • Users can successfully access the NotebookLM Enterprise UI through Azure federation.

  • Users do not have native Google accounts.

  • Access is restricted through Workforce Identity Pools.

  • NotebookLM sessions are user-specific.

Our requirement:

  • Users authenticate into our internal application using Azure OIDC.

  • From our backend, we want to call NotebookLM Enterprise APIs acting as the logged-in federated user.

Problem:

  • Standard Google OAuth authorization endpoint (accounts.google.com/o/oauth2/v2/auth) does not recognize our federated users and asks for a Google account.

  • However, NotebookLM Enterprise UI itself successfully authenticates the same users through Workforce Identity Federation.

Questions:

  1. Can Workforce Identity Federation users obtain Google OAuth access tokens for NotebookLM Enterprise APIs?

  2. Is delegated API access supported for federated workforce identities?

  3. Is there a workforce-aware OAuth/token exchange flow separate from standard Google OAuth?

  4. Is Google STS/token exchange required instead of normal OAuth authorization code flow?

  5. Are NotebookLM Enterprise APIs officially supported for Workforce Identity Federation users acting as themselves?

We are specifically trying to understand the supported architecture for:
Azure Federated User ā†’ Google Identity ā†’ NotebookLM API Access.

2

Quick update, I was able to figure this out.

The issue was that I was trying to use the same Workforce Identity Federation setup for both UI federation and API access.

What ended up working was:

  • using one Workforce Identity Pool/provider with SAML for NotebookLM Enterprise web UI federation,
  • and creating a separate Workforce Identity Pool/provider using OIDC specifically for API/token flows.

With the OIDC-based workforce provider, federation now works correctly during the auth flow, and after authentication Iā€™m able to exchange the federated identity through Google STS to obtain access tokens for NotebookLM API access.

So the important distinction was:

  • SAML federation was working fine for browser/UI SSO,
  • but for delegated API access and token acquisition, the OIDC + STS flow was the missing piece.

After switching to the OIDC workforce provider for the API flow, the federated Azure users can authenticate successfully and Iā€™m now able to access NotebookLM APIs as the federated user identity.

Hopefully this helps anyone else trying to integrate enterprise Google services with Azure Entra ID federation and user-scoped API access.