Looking at this document (https://cloud.google.com/identity-platform/docs/concepts-manage-users) that talks about email verification which is necessary for Google Cloud identity platforms automatic account linking and de-duplication features.
Under the heading "Untrusted providers" Both Google and GitHub are listed.
How is it possible for someone to have a Google and/or GitHub account without a verifying their email? I have explored various different ways to create a Google accounts and/or to modify the email address of my Google account but I have not been able to change my email address without confirming ownership of the email address.
Related
Our company uses different Google services (one of them being GCP). We are going to move our e-mail accounts to another mail supplier and we are wondering what the impact will be on the existing GCP services that certain users use. To make it clear our #companyname.com mails are currently hosted by Google and they will be moved to another supplier.
Will the users (identified by their e-mail address) keep on working "seamlessly" with GCP even we do not use Google's mail anymore?
Thanks in advance.
Posting this community wiki answer for better usability.
John Hanley wrote:
If you are using Google Workplace for email and for Google Cloud IAM, you will NOT be able to move those identities to another email platform without keeping the Workplace account. The authentication must be handled by a Google account (Gmail, Workplace, Identity Platform).
You can move your email (send/receive) to another platform. It is the authentication/authorization part that must stay with Google. You can have email for your domain hosted by another provider and still keep Google Workplace. Otherwise, you will need to create new Gmail or Identity Platform identities for Google Cloud IAM.
We have a site for our customers to log onto to get their relevant data. We have set it up on AWS using Cognito for user authentication. Each customer navigates to the same URL, enters their credentials, and then gets shown their own information. One of our customers has a corporate policy for any SaaS offering requiring a SSO (using SAML2.0). Our other customers do not need the SSO mechanism.
I have read through the documents AWS provides: (https://docs.aws.amazon.com/singlesignon/index.html) but these appear to be focused on a single corporation with AWS accounts for services provided by AWS. I have not been able to find any articles that address the situation.
Specific questions I have:
Is the AWS SSO mechanism the correct mechanism to use to achieve the goals? I have read in one Q&A that it is better to manipulate this through Cognito (but I cannot find the relevant article to link here).
If we set up one company to use SSO, can other companies use the credentials we set up to go to the same site?
Can we set up multiple companies to use the SSO separately, or will the application of a second SAML overwrite the first? (this doesn't seem likely as their would be updates to applicable users).
Any articles that can help point me in the best direction is greatly appreciated
AWS SSO would be a different AWS service you would have to integrate your application with.
If you're already using Cognito, you should be adding their SAML provider as a Cognito identity pool instead of adding AWS SSO.
I want to create a user account for contacting developers using their own email addresses, not a new Gmail user in my account. Google Cloud Platform seems to let me create the users, but they never receive an email and hence can't complete the account creation.
As it happens, they are Google Docs users with their own Google accounts, but naturally they'd rather not have yet another email address. Is this even possible or does Google tie Google Cloud Platform into Google Docs? It seems a major limitation of Google Cloud Platform if they do.
Google Cloud Platform, G Suite (formerly "Google Docs") and all other Google services share an identity system. The identity system requires humans to have user accounts while software|machines have service accounts. One Google user account equals one user.
There are 2 flavors of (Google) user accounts: [your-name]#gmail.com and those created by an organization for its users someone#acme.com. For example, Google uses Google identity internally and so Googlers have emails [their-name]#google.com.
When you create a Google Cloud Platform project, anyone with a Google account may be added to it. Whether their Google account is something#gmail.com or an account created by their employer for them.
The only time your users will receive an email from you when you add them to a Google Cloud Platform project is if you make them project owners. This is because, ownership requires acceptance of Google's Terms of Service. Other types of users will be added without receiving an email (from Google about it) but will be able to access your project's resources.
I suspect your users have been added correctly and you're ready to go!
the most simple is to share a directory with those off-domain email addresses
this is possible, because Google Docs is backed by Google Drive as storage.
setting them up with IAM would only add complexity, which is not required
(at least, unless you won't have to grant them access to GCP resources).
I created a google cloud instance for a client and handed over the details to them but now, they don't know the google console email address. They know the IP because the app deployed there is still running. It may be time to pay soon and not knowing the console detail means they will not be able to pay.
Is there a way to get the details from the IP address of the console instance?
Without being able to login to the Google Cloud Console, you will have problems.
Note: I am listing contact Google Support as a last example because you do not have paid Google Support. Google Support only offers billing question support for free. Since you cannot sign into the Google Cloud Console, you cannot sign up to pay for support. However, losing your login might qualify as billing support since you need to pay for your services to keep them running.
Techniques:
If you have access to a computer that has logged into the Google Cloud Console, try. A list of Google Accounts will be displayed to choose from. No guarantee, but usually people do not delete old accounts from Google Accounts. Try each one to access the Google Console. If you / they have forgotten the password, go thru the lost password process.
When you sign up for Google Cloud, emails are sent to the account email address. Have everyone do a search for Google Cloud. My welcome email came from CloudPlatform-noreply#google.com.
If you have created a Service Account, the json file will have the Project ID. This is globally unique and Google could lookup the account holder and send that person an email. Contact Google Support in this case.
If you have a system that you setup the gcloud tools on for this project, run the command gcloud auth list. This will display the authenticated accounts. Usually one of them is a Google Accounts account that can login to the Google Console.
Google Support can map the public IP address to an account. Contact Google Support in this case.
At my company we want to start hosting our applications on Google Cloud Platform, so, I signed up, which asked me to create a Google Account, so, I used my business email address pablo.fernandez#example.com to do so. But now it looks like this is an organization-less account. When I try to sign up for Cloud Identity, so that we can have an organization and other users in the GCP account I get this error:
Does GCP require me to sign up with a temporary throway email so I can set it up correctly? At any point, how do I move forward from here?
Although Cloud identity is a separate service from G Suite, most probably the same rules apply when managing users: https://support.google.com/a/answer/7044710?hl=en
Before you add users to your organization's Google domain, you should check if they have a personal Google Account with the same email address that you plan to use for their managed Google Account. Two accounts can’t share the same email address. If they do, you have 2 options:
Option 1: Invite your users to transfer or rename their existing account (using a tool in the Google Admin console).
Option 2: Require users to rename their existing account.
Learn more about conflicting accounts.
I believe it is because ultimately they are all "google accounts" just that, G Suite and Cloud Identity accounts belong to an Organization.