GCP Onboarding - Cloud Identity User Provisioning and SSO using Azure AD
This is an opinionated guide to set up your organization’s Google Cloud Platform (GCP) onboarding leveraging your existing identity provider (AzureAD).
What is Cloud Identity?
Cloud Identity is an Identity as a Service (IDaaS) solution that allows you to centrally manage users and groups who can access Google Cloud Platform (GCP). It is a pre-requisite for onboarding your organization to GCP. We use Cloud Identity for the Authentication (AuthN) of the users.
What is Azure AD?
Azure AD is a cloud based Identity and Access Management service. For our context today, Azure AD will be used as an external Identity Provider (IdP) and source for identities that your organization will use to onboard to GCP.
Why?
If your organization is using an existing Identity Provider such as Azure AD, User Provisioning and Single Sign On (SSO) using this external IdP will enable faster GCP onboarding and makes your admins’ jobs easier with less disruption.
How?
We will create a user on the Google Admin Console and set up an enterprise application on Azure authorized with this user’s credentials. This will enable Azure AD to automatically provision the users.
For SSO, wewill download the certificate from the Admin Console and upload it to Azure and configure the SAML and login endpoints.
Hands On
Prep Cloud Identity
The first thing to do is to set up a user account that will be used for the provisioning of the users from Azure AD. We will create an Organizational Unit(OU) for this user and assign privileges for this user to be able to manage users and groups on Cloud Identity. To be able to perform this steps, you should have superadmin privileges.
- On the Cloud Identity Admin Console, under Directory -> Organizational Units (https://admin.google.com/ac/orgunits), create a new OU named ‘Automation’
2. Under Directory -> Users (https://admin.google.com/ac/users), create a new user that will be used for User Provisioning.
3. Under Accounts -> Admin Roles (https://admin.google.com/ac/roles), create a new role and assign permissions as below
Make sure you assign the role to the user we set up earlier. We can now proceed to set up user provisioning on the Azure AD.
Set up User Provisioning
- On the Azure Portal (https://portal.azure.com/), under Azure Active Directory -> Enterprise Applications, create a new application by searching for “Google Cloud” and clicking on the “Google Cloud/G Suite Connector by Microsoft” item on the results list. Name it as “Google Cloud (Provisioning)”.
2. Under Manage -> Properties of this application,
- Set Enabled for users to sign-in to No.
- Set User assignment required to No.
- Set Visible to users to No.
- Click Save.
3. Under Manage -> Provisioning of this application,
- Set Enabled for users to sign-in to No.
- Set User assignment required to No.
- Set Visible to users to No.
- Click Save.
Under Mappings, Click on ‘userPrincipalName’ and set up ‘Source Attribute’ as ‘mail’.
Now, update both he ‘surname’ and ‘givenName’ attributes with ‘_’ as the value for Default value if null (optional) field. Save these changes.
Depending on your AD license, you can assign users and groups under Mange -> Users and Groups. These Users and Groups will be automatically provisioned on Google Cloud once you start provisioning under Manage -> Provisioning.
You should start seeing the assigned users and groups on Cloud Identity in a short while. For troubleshooting, you can use the View provisioning logs option.
Set up Single Sign On
For SSO, let’s deploy the same enterprise application again with a different name. To be clear, we are using two instances of the same connector app (enterprise application from Azure AD Gallery). One for provisioning earlier and one for SSO now.
Under Manage -> Properties of this application,
- Set Enabled for users to sign-in to Yes.
- Set User assignment required to No if you want all users to use SSO or Yes if you want to choose select users or groups.
- If you configured User Assignment Required in the previous step, do assign the users or groups you want to use under Manage -> Users and Groups.
Under Manage -> Single Sign On, choose SAML and edit the configuration of the Basic SAML as below:
- Enter Reply URL as https://www.google.com
- Sign on URL as https://www.google.com/a/YOURDOMAIN.COM/ServiceLogin?continue=https://console.cloud.google.com/
Click Save and and Close the dialog by clicking X. On the SAML Certificates card, download the Base64 cert and save it to your local machine.
Copy the Login URL from the Set Up Google Cloud card.
On the Attributes & Claims card click edit and remove the additional claims.
Now, let’s set up SSO on the Cloud Identity Admin Console. Under Security -> Authentication -> SSO with third party IdP , click Add SSO Profile. Use the login and logout URL values from the SSO app on Azure here as Sign in and Sign out URLs. Upload the certificate that was downloaded to the local machine earlier and Save.
Now, minimize this card and go to the Manage SSO Profile Assignments card on the same page and disable SSO for the Automation OU. Make sure you’re doing this specifically for the Automation OU (select it on the left under your org name).
You’re all set to test the SSO at https://console.cloud.google.com/. When prompted provide the email on the Google Sign in page and you will be redirected to Azure AD login with Microsoft logo for SSO.
Best Practices / Gotchas
For a large organization, only the IT team might use the GCP platform. So, assigning the User Provisioning and SSO enterprise applications to a specific set of users are groups are recommended.
If you use the free version of Cloud Identity and if you will be provisioning more than 50 users, you will have to request for a quota increase.
Conclusion
We set up both User Provisioning and Single Sign On using your existing external IdP on Google Cloud so that you can onboard your people to GCP faster and enjoy the Google Cloud Experience! Thanks for reading.