An Identity-Aware Proxy enables an organization to control access to cloud applications (e.g. SaaS). Typically, an IAP works together with an organization's Single Sign-on (SSO) provide for verifying a user’s identity and determining if that user should be allowed to access the application. An IAP is part of the BeyondCorp enterprise security model that enables every employee to work from untrusted networks without the use of a VPN. Another way of thinking about IAP is it's a point-to-point VPN for every single service. Unlike a traditional VPN, which typically grants a wide range of access to internal networks, an IAP only grants access to one specific resource.

IAP Providers and Implementations:

• https://www.cloudflare.com/products/cloudflare-access/
• https://cloud.google.com/iap/
• https://beyondcorp.com/
• https://github.com/bitly/oauth2_proxy