2023-10-05 | Article | Insights
In most microsoft-dominant infrastructures, IT teams face the challenge of integrating Google Cloud with their existing identity management provider. What we see at most of our clients, are employees signing up with their corporate email address to create a Google user account. These so called consumer user accounts are unmanaged, undocumented and inaccessible to the IT department. Companies with Google consumer user accounts run the risk of employees setting insecure passwords, keeping their account with access to mission-critical applications in Google Cloud after leaving the company and not being able to enforce account suspension when employees no longer require access to Google Cloud. By implementing Cloud Identity, you can extend your leading Identity provider (IdP) towards Google Cloud. This allows federating identities from the leading IdP to Google Cloud and hence, to tie the lifecycle of Google identities to the existing users in your leading IdP.
In a previous article we described these advantages Cloud Identity for both users and IT administrators in detail. This article will focus on how to integrate Cloud Identity into a microsoft-dominant infrastructure.
Cloud Identity offers out-of-the-box integration capabilities for Azure AD and Active Directory. Hence, companies using one of these IdPs, can seamlessly integrate Cloud Identity. If both Azure AD and Active Directory are used within the organization, we usually recommend federating Cloud Identity with Azure AD. However, this is a decision that should be made individually for every company.
The logical structure of Azure AD or Active Directory compared to Google Cloud has some similarities. However, no single mapping between the structures works equally well in every scenario. We recommend to map Azure AD tenant, DNS domains, users and groups depending on the usage of Google Cloud. Provisioning can be enabled for a subset of users based on attributes, group membership or organization units. In all cases, the minimum required information to map users is a stable, unique ID and a human-readable email address. Therefore the most practical option is to map users by their corporate email address. After deciding on a mapping between Azure AD or Active Directory to Cloud Identity, you need to decide on user lifecycle management. The following table describes the default behavior of Azure AD provisioning. It can be modified to fit your organization’s needs. As part of a cloud identity implementation project, we will consult you on best practices – whatever structure you currently have in Azure AD or Active Directory.
To synchronize Azure AD towards Cloud Identity, you can use a gallery application from the Azure Marketplace. The application is developed and maintained by Microsoft. It provides a simple step-by-step user interface for connecting Google Cloud to Azure AD, is free to use and supports enterprise single sign-on.
To federate Cloud Identity with Active Directory, installation of Google Cloud Directory Sync (GCDS) is required. The program should be installed within your company network and runs on any windows or linux server. It provides a user interface to configure federation from Active Directory towards Google Cloud. GCDS is free of charge.
Cloud Identity integrates seamlessly with Azure AD or Active Directory and automates user lifecycle management. Single sign-on can be enabled out-of-the-box to drastically improve password security in your organization when working with Google Cloud. We believe that Cloud Identity is foundational to IT security and governance when working with Google Cloud.
Please reach out to us, if you have any questions or would like to discuss the possibilities of integrating Cloud Identity into your organization. We are here to provide any advice you may need with Cloud Identity.