Federation

Cloud Identity

Use Cases

• Identity as a Service (IDaaS)
• Used for managing users, groups, and domain-wide security settings (without paying for G Suite's collaboration products)
  • Gmail accounts and Google Groups
  • Users and groups in your G Suite domain
  • Users and groups in your Cloud Identity domain
• Services included
  • SSO
  • Cloud Directory
  • User management
  • Device Management

Characteristics

• Tied to a unique DNS name that is enabled for receiving email
  • The first domain name becomes the primary domain for the Organization
  • Multiple other domains can be associated with the Organization's Google account
• Editions: Free / Premium
• Deployment Options:
  • Can be used as a standalone service
  • Can be combined with Google Workspace
• Accounts:
  • Each Google Workspace or Cloud Identity account is associated with one Organization
  • Organization Administrator IAM role must be assigned to a user/group

Cloud Directory Sync

Google Cloud Directory Sync	Syncing with Microsoft Active Directory: LDAP -> Cloud Identity One-way synchronization: the data in AD is never modified Directory Sync runs on-premises: no access to AD outside the perimeter
How Directory Sync works	Data is exported from your LDAP server or Active Directory Directory Sync connects to the Google domain and generates a list of Google uses, groups, and shared contacts that you specify Directory Sync compares these lists and updates your Google domain to match the data When the synchronization is complete, a report is emailed
Managed Microsoft AD	Managed Service for Microsoft Active Directory (Managed Microsoft AD) Runs actual Microsoft AD controllers Supports both hybrid cloud and standalone cloud domains Deployment options: Extend an existing on-premises security zone into Google Cloud Create a new security zone (or zones) for cloud resources

Google Authentication vs SAML-based SSO

Two primary ways to handle Google user account authentication (mutually exclusive):

Google authentication	A Google password is stored within Google's infrastructure
Single Sign-On (SSO) authentication	Google operates as the service provider and your SSO system operates as the identity provider

Workforce Identity Federation

• Provide employees and extended workforce with secure access to Google Cloud services and resources using existing identity management solutions
• Introducing new capabilities in Workforce Identity Federation to help you effectively manage identity and access to Google Cloud: New capabilities and services in Workforce Identity Federation can make it easier to manage your identity and access across multiple Google Cloud services