Trying to setup Google Cloud Identity free for testing organizational policies.
However I'm always redirected to Gsuite and can't seem to get Cloud Identity free enabled.
Is it still available or was it deprecated?
Google Cloud Identity has not been deprecated. Google Cloud Identity does not require G Suite, but if you do have G Suite then this service is integrated into your G Suite account.
If you are having a problem with redirection, open your browser using incognito mode.
Related
Hey I am wondering if anyone knows how to set up sso with gcp with Azure ad being the third party idp? The problem I'm facing is we are applying to the production environment and we need to add sso by a single user basis. How would i go about configuring just one user on gcp to utilize AAD for sign on? I seen something in reference to adding the "network mask" of the user but im having trouble locating it?
You can integrate Azure Active Directory single sign-on (SSO) with Google Cloud (G Suite) Connector.
1.first you need to add Google Cloud (G Suite) Connector from the gallery
2.you need to enable sso for that application
3.you need to create a test user and add user to application
4.configure google cloud sso(for this you need to login to Google cloud Gsuite admin console).
5.now you need to create google(G suite) cloud connector test user.
All the configuration steps are available in this Tutorial: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial#configure-google-cloud-g-suite-connector-sso.
Note: We Cannot enable single sign-on for only a subset of Google Cloud (G Suite) Connector users. Google Cloud (G Suite) Connector doesn't support having multiple identity providers, the identity provider for your Google Cloud (G Suite) Connector environment can either be Azure AD or Google -- but not both at the same time.
You can create Google SSO profile assigments by using group, user or Organization and have it bypass 3rd party IDP authentication and instead authenticate against Google. See starting at step 5. Haven't tested it but working on it now.
https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F60224%3Fhl%3Den&product_context=60224&product_name=UnuFlow&trigger_context=a
Here are an example. Let's imagine we use a cloud app, for example, Intercom and we forced Intercom users to use their G Suite accounts to sign in to Intercom.
We know that Google provides an ability to set up Context-aware access with G Suite Enterprise or Cloud Identity Premium licenses.
So here is the question: if we have G Suite Enterprise or Cloud Identity Premium licenses can we apply Context-aware access rules (for example, restrictions by IP) on the process of signing in to third-party cloud apps (like Intercom) using G Suite managed accounts?
This is not traditional Single sign-on (SSO), this is Google Sign-In.
This is more of a comment than an answer, I haven’t go the “reputation” yet to make a simple comment , so here is what I have found so far :
According to the documentation, one of context-aware-access features is :
“Enforce context-aware access policies for web apps hosted on GCP, on your premises, or other public clouds, including Amazon Web Services (AWS) and Microsoft Azure.” [1]
Therefore what you are asking should be possible.
[1] Features
https://cloud.google.com/context-aware-access
I wanted to use a service account to manage VM instances on GCE remotely. It did not work. Therefore this question. One difference I found between a service account and a user account, after many hours of trial-error, is that there seems no way to use a service account to ssh in to a VM instance.
What are the other differences?
Links I found related to my question:
https://groups.google.com/forum/#!topic/gce-discussion/Z6OMpVhvowQ
Logging into google compute engine with a service account
The accepted answer is correct but lacks a deeper understanding of what credentials are in Google Cloud.
There are a number of types of credentials. User, Service Account, Group, Domain, etc. The difference is what the credentials represent and what is the authority for those credentials. Internally they are the same in regards to structure, content, etc.
All of the credential types are OAuth 2 credentials. A User Account credential is one that is issued by Google Accounts, G Suite or Identity Server. These credentials cannot be created by you or your software without Google. These credentials are issued by Google. Service Accounts, on the other hand, can create their own credentials as the service account contains the private key used to sign the credentials. The private key is used to create a Signed JWT that is then exchanged for OAuth Access Token, Refresh Token, and Identity Token. A Service Account is just a type of OAuth credential.
Google does not want User Credentials used to access Google Cloud resources except through the Google Cloud Console or Google Cloud SDK Tools and CLI. This is a security issue and design. Otherwise, the use and behavior are nearly identical except that some privileges cannot be assigned to some credential types.
By design, service accounts in Google are meant for non human users. They are a type of account used by resources in your google project (i.e. compute engine service account, app engine service account and etc).
Service accounts are designed as a type of account that is used by your Google cloud resources to communicate with other Google cloud services i.e. GCE to App Engine to Cloud Function or App Engine to google APIS like: vision API, speech to text...), or App Engine to Cloud SQL, etc.
You may refer to google documentation here for more details:
I have a Google Cloud Platform service account with domain-wide authority. I can add it to a Google Analytics API call from my terminal and it works correctly. However, I would like to run that same script as a Google Cloud Function and reference the service account in GCP without including the client_secret_service_account.json file (like below) in the repository or anywhere outside of GCP. Is that possible?
KEY_FILE_LOCATION = 'client_secret_service_account.json'
You can now reference the service account when deploying Cloud Functions. Check documentation for gcloud.
When using GCP console, expand "Advanced options" to inform the service account
Maybe my question is basic. I have a domain on Google Cloud Identity Free Edition. I created a Google Site with a super admin account (with license G Suite), however I need to share that site to another users with license Cloud Identity. I shared the site, but they can't see it. I need to add some configuration? Or is not possible to access a Google Site (only view) without G Suite License?
Google Cloud Identity users can't access any G Suite services including free services availbale thru Gmail account.