Cloud Identity Management with Google
Google Cloud Identity forms the basis for the management of users and groups within the Google Admin Console. However, the Cloud Identity Provider is by no means limited to the applications and services of Google Workspace but also paves the way to the systems of many third-party providers.
If companies pursue a consistent cloud strategy, they increasingly face the challenge of orchestrating the applications and service of numerous providers and combining them into a solution tailored to their needs. Google's product portfolio already offers a comprehensive solution for everyday office use. But many companies also need additional services, such as Asana for project management, Zendesk's CRM solutions, or developer tools from Atlassian, to name just a few examples. This is where Identity and Access Management (IAM) comes into play. Its goal is to centrally manage user access and authorizations for all applications and resources in the company.
Specialized cloud providers, such as Okta, Ping Identity or OneLogin, have coined the term Identity-as-a-Service (IDaaS) for this purpose. But companies do not necessarily need the support of third-party providers for secure access even to complex cloud environments.
What is Google Cloud Identity?
Customers of Google Workspace or the Google Cloud (formerly Google Cloud Platform) automatically have access to the integrated Cloud Identity Provider (IdP) at no additional cost. Administrators use the Google Admin Console to manage users and groups, with Google Cloud Identity Management working under the hood.
Cloud Identity provides secure and reliable methods for identifying and authenticating users and then authorizing access to various Google and third-party systems and data. The solution supports multi-factor authentication (MFA) via Google Authenticator and single sign-on (SSO) to reduce the number of passwords users need to manage.
Cloud Identity Access Management further helps to collaborate with external users, such as customers, project partners and suppliers, who are not granted full user access but are expected to contribute to shared Google documents or projects in the Google Cloud. With Cloud Identity, organizations provide an account to such a user without incurring additional costs for a Google Workspace license. They can include the user in company-wide Google Meet video conferences, share documents, or even set up SSO for other company services.
Why Google Cloud Identity?
Google's IdP is by no means limited to regulating access to the company's own services. Cloud Identity supports the Security Assertion Markup Language (SAML) and the OpenID Connect (OIDC) authentication layer, which is based on the OAuth 2.0 authorization framework. Using SAML and OIDC, a Cloud Identity account can be used to log in to many other websites, apps, and services.
In the Google Admin Console, administrators can find the drop-down menu "Add app" under "Apps \ Web and mobile apps" in the main window. There they can integrate private iOS, Android as well as web apps or even custom SAML apps. Alternatively, they have the option to browse the rich catalog of supported third-party providers.
Connecting third-party providers via SAML
If they choose a provider, such as Atlassian, a wizard guides them through its integration. In the first step, administrators can download the metadata from Google's IdP as an XML file or copy the SSO URL, entity ID, and certificate along with the SHA-256 fingerprint for manual setup on the other side. In the second step, they configure the third-party information. The basic structure of the URLs is already predefined. The necessary information for completion is usually provided by the external provider.
In the third and final step, they configure the mapping of attributes of the cloud identity accounts to the user accounts in the target system. Here, too, the mandatory attributes expected by the target system are already predefined and admins can optionally synchronize additional attributes as well as group memberships.
Whether the respective target system supports automatic provisioning of user accounts depends on the respective vendor and its tariffs. Some vendors only offer auto-provisioning in higher and therefore more expensive business or enterprise tariffs. But even when accounts are managed manually in the third-party vendor's system, integration with Cloud Identity offers clear advantages because users can use just one account for many systems and the IdP centrally controls whether users can access the third-party solutions or not. Responsible parties do not have to make this decision across the board for all users, but can flexibly assign permissions to the individual integrations based on organizational units or groups within the Google Admin Console.
Conclusion on Cloud Identity Management
If your organization is already using solutions like Google Workspace or Google Cloud, Cloud Identity provides a solid foundation for IAM. But even if you're still on the migration path, Cloud Identity opens up so many opportunities to simplify IT infrastructure, reduce costs, and improve user experience that it makes sense to not only use the solution for Google's services, but to completely replace existing third-party solution for IAM and IDaaS. We will be happy to help you with this.
Cloud Identity Management with Google
Google Cloud Identity forms the basis for the management of users and groups within the Google Admin Console. However, the Cloud Identity Provider is by no means limited to the applications and services of Google Workspace but also paves the way to the systems of many third-party providers.
If companies pursue a consistent cloud strategy, they increasingly face the challenge of orchestrating the applications and service of numerous providers and combining them into a solution tailored to their needs. Google's product portfolio already offers a comprehensive solution for everyday office use. But many companies also need additional services, such as Asana for project management, Zendesk's CRM solutions, or developer tools from Atlassian, to name just a few examples. This is where Identity and Access Management (IAM) comes into play. Its goal is to centrally manage user access and authorizations for all applications and resources in the company.
Specialized cloud providers, such as Okta, Ping Identity or OneLogin, have coined the term Identity-as-a-Service (IDaaS) for this purpose. But companies do not necessarily need the support of third-party providers for secure access even to complex cloud environments.
What is Google Cloud Identity?
Customers of Google Workspace or the Google Cloud (formerly Google Cloud Platform) automatically have access to the integrated Cloud Identity Provider (IdP) at no additional cost. Administrators use the Google Admin Console to manage users and groups, with Google Cloud Identity Management working under the hood.
Cloud Identity provides secure and reliable methods for identifying and authenticating users and then authorizing access to various Google and third-party systems and data. The solution supports multi-factor authentication (MFA) via Google Authenticator and single sign-on (SSO) to reduce the number of passwords users need to manage.
Cloud Identity Access Management further helps to collaborate with external users, such as customers, project partners and suppliers, who are not granted full user access but are expected to contribute to shared Google documents or projects in the Google Cloud. With Cloud Identity, organizations provide an account to such a user without incurring additional costs for a Google Workspace license. They can include the user in company-wide Google Meet video conferences, share documents, or even set up SSO for other company services.
Why Google Cloud Identity?
Google's IdP is by no means limited to regulating access to the company's own services. Cloud Identity supports the Security Assertion Markup Language (SAML) and the OpenID Connect (OIDC) authentication layer, which is based on the OAuth 2.0 authorization framework. Using SAML and OIDC, a Cloud Identity account can be used to log in to many other websites, apps, and services.
In the Google Admin Console, administrators can find the drop-down menu "Add app" under "Apps \ Web and mobile apps" in the main window. There they can integrate private iOS, Android as well as web apps or even custom SAML apps. Alternatively, they have the option to browse the rich catalog of supported third-party providers.
Connecting third-party providers via SAML
If they choose a provider, such as Atlassian, a wizard guides them through its integration. In the first step, administrators can download the metadata from Google's IdP as an XML file or copy the SSO URL, entity ID, and certificate along with the SHA-256 fingerprint for manual setup on the other side. In the second step, they configure the third-party information. The basic structure of the URLs is already predefined. The necessary information for completion is usually provided by the external provider.
In the third and final step, they configure the mapping of attributes of the cloud identity accounts to the user accounts in the target system. Here, too, the mandatory attributes expected by the target system are already predefined and admins can optionally synchronize additional attributes as well as group memberships.
Whether the respective target system supports automatic provisioning of user accounts depends on the respective vendor and its tariffs. Some vendors only offer auto-provisioning in higher and therefore more expensive business or enterprise tariffs. But even when accounts are managed manually in the third-party vendor's system, integration with Cloud Identity offers clear advantages because users can use just one account for many systems and the IdP centrally controls whether users can access the third-party solutions or not. Responsible parties do not have to make this decision across the board for all users, but can flexibly assign permissions to the individual integrations based on organizational units or groups within the Google Admin Console.
Conclusion on Cloud Identity Management
If your organization is already using solutions like Google Workspace or Google Cloud, Cloud Identity provides a solid foundation for IAM. But even if you're still on the migration path, Cloud Identity opens up so many opportunities to simplify IT infrastructure, reduce costs, and improve user experience that it makes sense to not only use the solution for Google's services, but to completely replace existing third-party solution for IAM and IDaaS. We will be happy to help you with this.
