Skip to content

Federation

Cloud Identity

Use Cases
  • Identity as a Service (IDaaS)
  • Used for managing users, groups, and domain-wide security settings (without paying for G Suite's collaboration products)
    • Gmail accounts and Google Groups
    • Users and groups in your G Suite domain
    • Users and groups in your Cloud Identity domain
  • Services included
    • SSO
    • Cloud Directory
    • User management
    • Device Management
Characteristics
  • Tied to a unique DNS name that is enabled for receiving email
    • The first domain name becomes the primary domain for the Organization
    • Multiple other domains can be associated with the Organization's Google account
  • Editions: Free / Premium
  • Deployment Options:
    • Can be used as a standalone service
    • Can be combined with Google Workspace
  • Accounts:
    • Each Google Workspace or Cloud Identity account is associated with one Organization
    • Organization Administrator IAM role must be assigned to a user/group

Cloud Directory Sync

Google Cloud Directory Sync
  • Syncing with Microsoft Active Directory: LDAP -> Cloud Identity
  • One-way synchronization: the data in AD is never modified
  • Directory Sync runs on-premises: no access to AD outside the perimeter
How Directory Sync works
  1. Data is exported from your LDAP server or Active Directory
  2. Directory Sync connects to the Google domain and generates a list of Google uses, groups, and shared contacts that you specify
  3. Directory Sync compares these lists and updates your Google domain to match the data
  4. When the synchronization is complete, a report is emailed
Managed Microsoft AD
  • Managed Service for Microsoft Active Directory (Managed Microsoft AD)
    • Runs actual Microsoft AD controllers
    • Supports both hybrid cloud and standalone cloud domains
  • Deployment options:
    • Extend an existing on-premises security zone into Google Cloud
    • Create a new security zone (or zones) for cloud resources

Google Authentication vs SAML-based SSO

Two primary ways to handle Google user account authentication (mutually exclusive):

Google authentication A Google password is stored within Google's infrastructure
Single Sign-On (SSO) authentication Google operates as the service provider and your SSO system operates as the identity provider