diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/convert.sh b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/convert.sh
new file mode 100755
index 00000000..87efac0c
--- /dev/null
+++ b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/convert.sh	
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+pandoc --to gfm --extract-media=images/identity 'GCP Identity Detailed Design.docx' -o identity.md
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/identity.md b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/identity.md
new file mode 100644
index 00000000..876cd73d
--- /dev/null
+++ b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/identity.md	
@@ -0,0 +1,470 @@
+**Department of Commerce (DOC)**
+
+**United States Census Bureau (USCB)**
+
+**  
+Google Cloud Platform (GCP)**
+
+**Service Architecture**
+
+**GCP Cloud Identity**
+
+**(Workspaces)**
+
+<img src="images/identity/media/image1.jpeg"
+style="width:8.46875in;height:2.14583in" /><img src="images/identity/media/image2.png"
+style="width:8.46875in;height:2.14583in" /><img src="images/identity/media/image3.png"
+style="width:8.46875in;height:2.14583in" />
+
+1 Revision History [1](#revision-history)
+
+2 Overview [2](#overview)
+
+2.1 Background [2](#background)
+
+2.2 Scope [2](#scope)
+
+2.3 Governance [2](#governance)
+
+2.4 Terms and Definitions [2](#terms-and-definitions)
+
+3 Service Design [3](#service-design)
+
+3.1 Value [3](#value)
+
+3.2 Capabilities, Features, and Requirements
+[3](#capabilities-features-and-requirements)
+
+3.3 Assumptions [4](#assumptions)
+
+3.4 Constraints [4](#constraints)
+
+3.5 Conceptual Design [4](#conceptual-design)
+
+3.6 Logical Design - Census IDP Operated SAML-Based SSO Service
+[5](#logical-design---census-idp-operated-saml-based-sso-service)
+
+3.7 Interfaces [5](#interfaces)
+
+3.8 Configuration Management [5](#configuration-management)
+
+3.9 Service Level Agreements [5](#service-level-agreements)
+
+3.10 Patching and Updates [5](#patching-and-updates)
+
+3.11 Roles and Responsibilities [6](#roles-and-responsibilities)
+
+3.12 Service Limits & Capacity Planning
+[6](#service-limits-capacity-planning)
+
+3.13 Cost Consideration [6](#cost-consideration)
+
+4 Backup and Recovery [6](#backup-and-recovery)
+
+5 Security [7](#security)
+
+5.1 Authentication, Access, Authorization
+[7](#authentication-access-authorization)
+
+5.2 Auditing [7](#auditing)
+
+5.3 Logging [7](#logging)
+
+5.4 Alerts [7](#alerts)
+
+6 Appendix [7](#appendix)
+
+6.1 Tagging [7](#tagging)
+
+6.2 Infrastructure as Code [7](#infrastructure-as-code)
+
+6.3 Links [7](#links)
+
+6.4 Reference Documentation [8](#reference-documentation)
+
+List of Figures
+
+[Figure 1 Federated Identity Management
+[4](#_Toc157518545)](#_Toc157518545)
+
+[Figure 2 SAML transaction steps for Census IDP – Google Identity
+Exchange [5](#_Ref146826104)](#_Ref146826104)
+
+[Figure 3 Workspace Automatic Licensing Setting Page
+[6](#_Toc157518547)](#_Toc157518547)
+
+List of Tables
+
+[Table 1 – Revision History [1](#_Toc157518548)](#_Toc157518548)
+
+# Revision History
+
+<span id="_Toc157518548" class="anchor"></span>Table 1 – Revision
+History
+
+| Version | Date      | Description                                                                                               |
+|---------|-----------|-----------------------------------------------------------------------------------------------------------|
+| 0.01    | 8/3/2023  | Initial template draft                                                                                    |
+| 0.02    | 9/27/2023 | Initial content to describe service                                                                       |
+| 0.03    | 9/28/2023 | Content to reflect the design decisions and configuration of the Census IDP / Cloud Identity relationship |
+| 0.04    | 10/9/2023 | Updated to reflect CM and pricing SLA                                                                     |
+| 0.05    | 1/2/2024  | Add text section 5 items highlighted                                                                      |
+| 1.00    | 1/30/2024 | GitLab inf/core \#426                                                                                     |
+|         |           |                                                                                                           |
+
+# Overview
+
+## Background 
+
+GCP Cloud Identity provides USCB a central place to create or federate
+identities and centrally manage access across all GCP accounts and
+supported applications. USCB utilizes GCP security group permissions to
+assign users in alignment with their function in the organization, such
+as a System Developer, Database Administrator, Cloud Organization admin,
+etc. using SAML 2.0 authentication through the central Identity Provider
+(IdP), IDMS.
+
+## Scope
+
+This document details the engineering and operations lifecycle for GCP
+Cloud Identity*.* It is intended to document design decisions and
+provide guidelines for implementation and operation of this service.
+
+## Governance
+
+This document, its associated service(s), and guidelines regarding the
+use of this service are governed by the Enterprise Cloud Governance
+Board (CGB). Changes to this service require must be presented by the
+Product Owner and/or Technical Lead and approved by the CGB.
+
+## Terms and Definitions
+
+- **Google Identity**: Human users who are members of the Census
+  organization require a Google Identity to interact with Google
+  services. Google Identities are created in Google Cloud Identity and
+  are authenticated against an existing user identity within USCB’s IdP,
+  IDMS.
+
+- **Google Cloud Identity**: Cloud Identity is the user management
+  administration console and system for accessing Google products. Cloud
+  Identity provides a central place to create and manage users, security
+  groups, and billing mechanisms.
+
+- **Google Cloud IAM**: GCP IAM provides the permission management of
+  users and service accounts within GCP. Users and security groups are
+  mapped in from Google Cloud Identity and are able to be assigned roles
+  within the organizational structure to folders and projects.
+
+- **Security Group:** Cloud Identity construct for organizing Google
+  Identities. Security Groups allow for the management of Google
+  Identities by function and assigning them the required permissions
+  through assigning GCP Roles to the Security Group.
+
+- **Organization (Identity):** A root/domain level administrative
+  construct, the Organization (Identity) is paired with a domain and
+  validated using a domain verification process. There can be only a
+  single Organization (Identity) per domain.
+
+- **Organizational Unit (Identity):** Organizational Units in Cloud
+  Identity server to group users together for specific Cloud Identity
+  related management related functions or the grouping of projects. They
+  are not related to and do not import to GCP for management functions
+  there. Google Security Groups should be utilized for that purpose.
+
+- **Organization (GCP):** A root level resource, the GCP Organization
+  provides the central point and highest order parent of the GCP
+  structure. It is tied to a domain managed through Cloud Identity. Each
+  domain managed as part of the organization must be registered in Cloud
+  Identity.
+
+- **GCP Folder:** GCP Folders are utilized to organize resources of the
+  GCP Organization. They serve as containers that can be utilized to
+  delineate permissions boundaries and policy enforcement. The GCP
+  Folder structure is typically laid out like Organizational Units
+  within an LDAP like MS Active Directory.
+
+- **GCP Project:** A GCP Project is analogous to an AWS Account. It
+  provides a permission, billing, and container boundary for each
+  application within GCP. Projects will be created to support use cases
+  such as consolidated logging, shared networking, and applications.
+
+- **GCP Role:** A GCP Role defines a permission set that can be applied
+  to users, service accounts, or groups. GCP Roles function differently
+  than AWS Roles in that they do not need to be assumed to provide the
+  permissions. Rather they define the permissions the principle has.
+
+- **Admin Activity audit logs:** contain log entries for API calls or
+  other actions that modify the configuration or metadata of resources.
+
+# Service Design
+
+## Value 
+
+- GCP Cloud Identity integrates USCB standard user account management
+  control and practices by authenticating users via the IDMS Identity
+  Provider through SAML 2.0 federation. This reduces the associated risk
+  in managing separate IAM users within each GCP account.
+
+- GCP Identity and Access Management (IAM) integrates at scale across
+  the entire GCP organization structure. Permissions and access across
+  all, or a subset of Google projects, are centrally managed through GCP
+  IAM.
+
+- GCP Cloud Identity supports access to both GCP Organization/projects,
+  and Cloud Identity integrated applications.
+
+- GCP IAM with GCP Security Groups increases the velocity of cloud
+  onboarding through the development and application of permission sets
+  that cover a range of system team, system and cloud operational teams,
+  and administrative roles aligned to specific job functions on specific
+  folders or projects.
+
+- GCP Cloud Identity provides a single interface to interact with GCP
+  accounts and services through both the console and programmatic means.
+  Short-lived token-based credentials are established each time a user
+  is authenticated, so rotation of access keys is not an issue for
+  individual users.
+
+## Capabilities, Features, and Requirements
+
+- Users authenticate to the USCB GCP organization without having to
+  provide an additional password or MFA token (i.e., SSO)
+
+- Permission sets are created based on USCB organizational job function
+  and system team function (i.e., developer, tester, dba, etc.).
+
+- Users are placed into Cloud Identity Security Groups, and those groups
+  will be assigned a role that grants access to specific permissions.
+  The Security Group is then applied at the organization, folder, or
+  project level to govern access.
+
+- The designated USCB GCP Cloud Identity administrators are responsible
+  for the configuration, management, and ongoing maintenance of the
+  service.
+
+- User IDs must match the Census-defined user principal name. This is
+  passed the SAML authentication with the IdP and is required by Cloud
+  Identity
+
+## Assumptions
+
+- A group will be defined and will be responsible for the configuration,
+  management, and ongoing maintenance of the service, including user
+  onboarding, permission set development, and group-to-account
+  assignments.
+
+<!-- -->
+
+- The solution shall adhere to the baseline Enterprise GCP naming
+  standards for role and group definitions.
+
+- Access to GCP projects is governed within the GCP organization. No
+  access to external or non-managed GCP Projects are allowed without
+  prior authorization by the CGB and OIS.
+
+- SCIM integration is not in scope for the initial deployment
+  architecture and operations of this platform. The initial rollout of
+  this service does not include extension to other cloud-enabled
+  applications such as Google Workspaces (O365 equivalent).
+
+- Multi-factor Authentication is required for superadmins. The Cloud
+  Identity Organization provides MFA as part of the IdP (IDMS) solution
+  as TCO is responsible for authentication prior to authorization to the
+  USCB GCP environment.
+
+## Constraints
+
+- TCO is responsible for providing the IdP-specific metadata for the
+  external Identity Provider configuration portion in GCP Cloud
+  Identity.
+
+- TCO is responsible for providing DNS entries required for domain
+  validation.
+
+## Conceptual Design
+
+<img src="images/identity/media/image4.png"
+style="width:6.5in;height:1.44444in" />
+
+<span id="_Toc157518545" class="anchor"></span>Figure 1 Federated
+Identity Management
+
+## Logical Design - Census IDP Operated SAML-Based SSO Service
+
+<img src="images/identity/media/image7.png"
+style="width:3.87014in;height:3.46042in" />Google offers a SAML-based
+single sign-on (SSO) service for user authentication and authorization
+process using Security Assertion Markup Language (SAML). SAML is an XML
+standard that allows secure exchange of user authentication and
+authorization data with the Census Identity Provider (IDP). Using SAML,
+GCP contact the Census IDP to authenticate users who are trying to
+access secure content. The transaction steps that occur are described in
+Figure 2 SAML transaction steps for Census IDP – Google Identity
+Exchange.
+
+<span id="_Ref146826104" class="anchor"></span>Figure 2 SAML transaction
+steps for Census IDP – Google Identity Exchange
+
+## Interfaces
+
+- Google Cloud Identity exchanges with the Census Identity Provider,
+  Microfocus IDMS. This done through the exchange of metadata between
+  GCP super administrators and the TCO IDMS team.
+
+- Sign-in to GCP console is available via web-based portal at
+  <https://cloud.google.com>.
+
+- Sign-in to GCP workspace is available via web-based portal at
+  <https://admin.google.com>.
+
+## Configuration Management
+
+Google Cloud Identity. Configuration of the platform itself is
+maintained by GCP and provided as part of the SLA with GCP.
+Configuration of and changes to the organization of resources within
+Google Cloud Identity is overseen by the Enterprise CGB. Any
+communicated configuration changes by Google to the Cloud Identity
+platform will result in an evaluation by the Enterprise CGB to assess,
+impact, and implement any adjustments necessary.
+
+## Service Level Agreements
+
+Cloud Identity Free edition does not have a published SLA. This does not
+indicate that Cloud Identity Free is without target uptimes or
+availability, just that there is no linkage to fines or penalties for
+service unavailability. A transition to Cloud Identity premium should be
+designed and implemented if there is a need to have an enforceable SLA
+with Google. As there currently is a limited user base for GCP and all
+current applications are in development stage, there is justification
+for Cloud Identity Premium. As applications mature or other services
+take advantage of GCP this design decision can be revisited. If a
+transition to Cloud Identity Premium occurs, the SLA is 99.9% uptime.
+
+## Patching and Updates
+
+Google Cloud Identity is provided by GCP as a managed service. Patching
+and updates of the platform is maintained by GCP and provided as part of
+the service with GCP. If a future non-functional requirement is needed
+to guarantee availability, a switch to Cloud Identity Premium may be
+required.
+
+## Roles and Responsibilities
+
+GCP Cloud Identity Roles and Responsibilities are broken out below:
+
+- CGB – Approve architectural and governance changes to the management
+  of GCP. Suggest architectural changes to GCP, approve O&M changes and
+  provide guidance to the operations teams.
+
+- Cloud Engineering – O&M of GCP Cloud Identity, management of groups
+  and users
+
+- OIS – ATO and security requirements maintained.
+
+- TCO – Integration with the USCB IdP system and management of IdP
+  identities.
+
+## Service Limits & Capacity Planning
+
+Google Cloud Identity platform can scale to thousands of users. The USCB
+is currently using the Free edition of Google Cloud Identity. The Free
+edition places an initial limit of 50 users. This quota is adjustable,
+and an increase can be requested from Google.
+
+## Cost Consideration
+
+There is no charge for utilizing Cloud Identity Free. At the time of
+this writing, Cloud Identity Premium current cost is \$6.00/user per
+month. It should be noted that users should not be automatically mapped
+to Workspace plans. Those plans do incur a monthly per user cost. A
+configuration parameter is set to prevent automatic licensing in the
+admin.google.com à Billing à License settings page.
+
+<img src="images/identity/media/image8.png"
+style="width:4.67361in;height:2.97412in" />
+
+<span id="_Toc157518547" class="anchor"></span>Figure 3 Workspace
+Automatic Licensing Setting Page
+
+# Backup and Recovery
+
+GCP Cloud Identity is provided as a managed service. There is no direct
+backup option for GCP Cloud Identity. User management is integrated with
+USCB IdP for backing up and managing the current state of active and
+inactive users.
+
+# Security
+
+## Authentication, Access, Authorization
+
+All identities associated to GCP are members of security groups with
+predefined permissions to access the resources to only what is required
+to perform their duties. For additional information refer to Cloud
+Identity Roles and Groups.
+
+## Auditing
+
+- All GCP auditing logs will be sent OIS Azure Sentinel environment via
+  Pub/Sub integration with Azure.
+
+- The following audit log types are captured and can be retrieved from
+  GCP Audit Logs.
+
+  - **Admin Activity audit logs:** contain log entries for API calls or
+    other actions that modify the configuration or metadata of
+    resources.
+
+  - **Data Access audit logs:** contain API calls that read the
+    configuration or metadata of resources, as well as user-driven API
+    calls that create, modify, or read user-provided resource data.
+
+  - **System Event audit logs:** contain log entries for Google Cloud
+    actions that modify the configuration of resources. System Event
+    audit logs are generated by Google systems; they aren't driven by
+    direct user action.
+
+  - **Policy Denied audit** **logs:** are recorded when a Google Cloud
+    service denies access to a user or service account because of a
+    security policy violation.
+
+## Logging
+
+IAM logs comprise of admin activity audit logs and data access audit
+logs, they are required by GCP and is not possible to disable. They
+follow the logging design detailed in the GCP Operations Suite Cloud
+Logging Service Architecture.
+
+## Alerts
+
+Alerts are configured as part of SCC. For additional details, see the
+GCP Security Command Center Service Architecture.
+
+# Appendix
+
+## Tagging
+
+[Enterprise GCP Naming and Tagging
+Standards](https://uscensus.sharepoint.com/:f:/s/DITDSIRS/EpbVeuUQbE1Ftjo-SJpUjj4BG9Nq15mRUQdNsUaQcRyeyw?e=ZMCX3r)
+
+## Infrastructure as Code
+
+<https://gitlab.ditd.census.gov/inf/core>
+
+## Links
+
+- [Google Cloud Identity
+  Overview](https://cloud.google.com/files/10909_Cloud_Identity_OnePager_V6.pdf)
+
+- [Cloud Identity Roles and
+  Groups](https://uscensus.sharepoint.com/:x:/s/DITDSIRS/EQY2FidVWydDr6E1JaB_jasBGI9-u-xyoGUossdK8foKHw?e=KZTfBa)
+
+- [GCP Operations Suite Cloud Logging Service
+  Architecture](https://uscensus.sharepoint.com/sites/DITDSIRS/_layouts/15/Doc.aspx?sourcedoc=%7B67BF8745-3FEE-4C47-A6C6-F845B3F99E61%7D&file=GCP%20Operations%20Suite%20Cloud%20Logging%20Detailed%20Design.docx&action=default&mobileredirect=true)
+
+- [GCP Security Command Center Service
+  Architecture](https://uscensus.sharepoint.com/:w:/s/DITDSIRS/EbHpsBeFJntHrE83Rb3-cB8B3ad2lkuh-_5VfX2R7ZT4yA?e=MWJSci)
+
+## Reference Documentation
+
+[GCP Cloud Identity Roles &
+Groups](https://uscensus.sharepoint.com/:x:/s/DITDSIRS/EQY2FidVWydDr6E1JaB_jasBGI9-u-xyoGUossdK8foKHw?e=J5q9be)
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image1.jpeg b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image1.jpeg
new file mode 100644
index 00000000..543fad64
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image1.jpeg differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image2.png b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image2.png
new file mode 100644
index 00000000..fa07e8cd
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image2.png differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image3.png b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image3.png
new file mode 100644
index 00000000..fe077e1a
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image3.png differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image4.png b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image4.png
new file mode 100644
index 00000000..83a2fac0
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image4.png differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image7.png b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image7.png
new file mode 100644
index 00000000..8ee99efc
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image7.png differ
diff --git a/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image8.png b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image8.png
new file mode 100644
index 00000000..0a205b65
Binary files /dev/null and b/gcp/documentation/02_Solutions_and_Service_Architecture/GCP Identity Design/images/identity/media/image8.png differ