Your organization uses a third-party identity provider for centralized user management and authentication. You want to grant users access to the Google Cloud console based on attributes from this provider, without syncing user identities to Google Cloud. What should you do?