Configure workforce identity federation with the external IdP, and set up attribute mapping.

Configure a service account for each individual by using the user name and photo, and grant permissions for each user to impersonate their respective service accounts.

Configure workload identity federation to get the external IdP tokens, and use these tokens to sign in to the Google Cloud console.

Create a Google group that includes organization email IDs for all users. Ask users to use the same name, work email ID, and password to register and sign in.