While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console.
The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platformWhen migrating an organization's infrastructure to Google Cloud Platform (GCP), it is common for a large number of users to need access to the GCP Console. In this scenario, the organization's Identity Management team has a well-established way to manage users and wants to keep using the existing Active Directory or LDAP server along with the existing SSO password.
To meet this requirement, there are a few different approaches that could be taken. Let's go through each of the options provided and explain them in more detail:
A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server: This option involves manually synchronizing the user data between the organization's Active Directory or LDAP server and the Google domain. While this may be a viable solution for smaller organizations, it can become cumbersome and error-prone for larger organizations with many users. Additionally, manual synchronization may not be real-time, which can cause delays in updating user information.
B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server: This option involves using Google Cloud Directory Sync (GCDS) to automatically synchronize the user data between the organization's Active Directory or LDAP server and the Google domain. GCDS can be configured to run on a schedule, ensuring that user data is always up to date. This approach is much more scalable and efficient than manually synchronizing the data.
C. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider: This option involves allowing users to sign in directly to the GCP Console using their on-premises Kerberos compliant identity provider (IdP). This approach requires configuring the organization's IdP to trust the GCP Console and issue Kerberos tickets to users. While this approach provides a high level of security, it may be more difficult to set up and manage than the other options.
D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console: This option involves allowing users to sign in using an OpenID Connect (OIDC) compatible IdP. The IdP issues an authentication token to the user, which is then used to log in to the GCP Console. This approach is similar to using SAML for SSO, but OIDC provides more flexibility and is easier to set up. However, it does require the organization to have an OIDC compatible IdP.
In summary, option B (Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server) is likely the best choice for most organizations. It provides an efficient and scalable way to keep user data synchronized between the organization's existing identity management system and GCP. However, depending on the organization's specific requirements and constraints, one of the other options may be a better fit.