Federation
Cloud Identity¶
- Use Cases
-
- Identity as a Service (IDaaS)
- Used for managing users, groups, and domain-wide security settings (without paying for G Suite's collaboration products)
- Gmail accounts and Google Groups
- Users and groups in your G Suite domain
- Users and groups in your Cloud Identity domain
- Services included
- SSO
- Cloud Directory
- User management
- Device Management
- Characteristics
-
- Tied to a unique DNS name that is enabled for receiving email
- The first domain name becomes the primary domain for the Organization
- Multiple other domains can be associated with the Organization's Google account
- Editions: Free / Premium
- Deployment Options:
- Can be used as a standalone service
- Can be combined with Google Workspace
- Accounts:
- Each Google Workspace or Cloud Identity account is associated with one Organization
- Organization Administrator IAM role must be assigned to a user/group
- Tied to a unique DNS name that is enabled for receiving email
Cloud Directory Sync¶

| Google Cloud Directory Sync |
|
| How Directory Sync works |
|
| Managed Microsoft AD |
|
Google Authentication vs SAML-based SSO¶
Two primary ways to handle Google user account authentication (mutually exclusive):
| Google authentication | A Google password is stored within Google's infrastructure |
| Single Sign-On (SSO) authentication | Google operates as the service provider and your SSO system operates as the identity provider |
Workforce Identity Federation¶
- Provide employees and extended workforce with secure access to Google Cloud services and resources using existing identity management solutions
- Introducing new capabilities in Workforce Identity Federation to help you effectively manage identity and access to Google Cloud: New capabilities and services in Workforce Identity Federation can make it easier to manage your identity and access across multiple Google Cloud services