Federation
Cloud Identity
- Use Cases
-
- Identity as a Service (IDaaS)
- Used for managing users, groups, and domain-wide security settings (without paying for G Suite's collaboration products)
- Gmail accounts and Google Groups
- Users and groups in your G Suite domain
- Users and groups in your Cloud Identity domain
- Services included
- SSO
- Cloud Directory
- User management
- Device Management
- Characteristics
-
- Tied to a unique DNS name that is enabled for receiving email
- The first domain name becomes the primary domain for the Organization
- Multiple other domains can be associated with the Organization's Google account
- Editions: Free / Premium
- Deployment Options:
- Can be used as a standalone service
- Can be combined with Google Workspace
- Accounts:
- Each Google Workspace or Cloud Identity account is associated with one Organization
- Organization Administrator IAM role must be assigned to a user/group
Cloud Directory Sync

|
|
Google Cloud Directory Sync |
- Syncing with Microsoft Active Directory:
LDAP -> Cloud Identity - One-way synchronization: the data in AD is never modified
- Directory Sync runs on-premises: no access to AD outside the perimeter
|
How Directory Sync works |
- Data is exported from your LDAP server or Active Directory
- Directory Sync connects to the Google domain and generates a list of Google uses, groups, and shared contacts that you specify
- Directory Sync compares these lists and updates your Google domain to match the data
- When the synchronization is complete, a report is emailed
|
Managed Microsoft AD |
- Managed Service for Microsoft Active Directory (Managed Microsoft AD)
- Runs actual Microsoft AD controllers
- Supports both hybrid cloud and standalone cloud domains
- Deployment options:
- Extend an existing on-premises security zone into Google Cloud
- Create a new security zone (or zones) for cloud resources
|
Google Authentication vs SAML-based SSO
Two primary ways to handle Google user account authentication (mutually exclusive):
|
|
Google authentication |
A Google password is stored within Google's infrastructure |
Single Sign-On (SSO) authentication |
Google operates as the service provider and your SSO system operates as the identity provider |