Open in app

Sign in

Write

Sign in

How to set up Cloud Identify(Authentication ) and Organisation in GCP? Part-1

Know more about how Google Cloud identity works and benefits the organisation:

Biswanath Giri
Google Cloud - Community
8 min readJan 18, 2023

--

Architecture Diagram to Quick Understand

Google Cloud Identity (GCI) is a service provided by Google Cloud Platform (GCP) that allows you to manage and authenticate users for your cloud-based applications and resources. It is built on top of the Google Identity Platform, which provides secure identity management for applications hosted on GCP, as well as other platforms.

GCI provides features such as user and group management, single sign-on (SSO) and multi-factor authentication (MFA), and access control. This allows you to easily manage the identities of the users who access your GCP resources and ensure that only authorised users have access to sensitive data and functionality.

One of the main benefits of GCI is that it allows you to centralize the management of user identities and access across all of your GCP resources, including Compute Engine, Kubernetes Engine, and Cloud Storage. This can help to improve security and compliance, as well as streamline the process of managing user access.

This article predominantly answers below questions

  1. How to create new domain and organisation?
  2. How to set up New Google Workspace?
  3. How to configure Cloud Identity?
  4. How to configure GCDS with On-Prem AD Server?
  5. How to sync on-perm users, groups and organisation Units with Google Cloud?
  6. How Google Cloud IAM Policy is enforced in granular ways?

1. How to create new domain & organisation?

Set up Cloud Identity as a Google Cloud admin

This article shows you how to set up Cloud Identity as a Google Cloud administrator. Setting up Cloud Identity is one of the first steps you’ll take when creating a new Google Cloud organization.

Before you begin

Instructions for Google Cloud admins

If you’re a Google Cloud administrator, use the instructions below to sign up for either Cloud Identity Free or Cloud Identity Premium. For details about the differences between these services, see Compare Cloud Identity features & editions.

Requirements

  • Cloud Identity Free — You need your company’s domain name and the admin username and password to your domain registrar to get started.
  • Cloud Identity Premium — You need your company’s domain name to get started, or you need to purchase a domain during sign-up.

Sign up for Cloud Identity Free

  1. Go to the following sign-up page:
    https://workspace.google.com/signup/gcpidentity/welcome#0
  2. Follow the guided instructions.

For details about your next steps, see Create your Cloud Identity account and first admin user.

Sign up for Cloud Identity Premium

If you’re a Google Workspace customer

  1. Sign in to your Google Admin console.
  2. Sign in using your administrator account (does not end in @gmail.com).
  3. In the Admin console, go to Menu
  4. Billing
  5. Get more services.
  6. Click Cloud Identity.
  7. Next to Cloud Identity Premium, click Start Free Trial.
  8. Follow the guided instructions.

If you’re not a Google Workspace customer

  1. Go to the following sign-up page:
    https://cloud.google.com/identity/signup/premium/welcome
  2. Follow the guided instructions.

1.1 If you are new Google Workspace customer, please perform below steps.

  1. Go to the following sign-up page:
    https://cloud.google.com/identity/signup/premium/welcome
  2. Follow the guided instructions.
  3. Create your first Cloud Identity account and super admin username. You’ll specify your email address and company details, as well as the username for your first super admin.

Note: Specify the super admin username in this format: admin-[user] (for example, admin-maria). Cloud Identity adds <username>@<your-domain>.com as the first super admin for Cloud Identity.

You can specify additional super admins using the Admin Console.

Check out below screenshots to complete the process.

Put Your Contact details

Put your domain or business name which you are planning to run business

Need to check the domain is available or not if available go-ahead do that :)

Put your business address details and Pay 💰 for the domain which you are purchasing.

  1. Verify your domain: This process may take several hours. If you run into issues, see the Troubleshooting section. We will add more users later in this checklist; when you’re prompted to add users to your account, skip that process as guided below:
  2. Click Create users.
  3. Select I have finished adding users for now, and then click Next.
  4. Click Continue to Google Cloud console.

By default, the free edition of Cloud Identity provides fifty user licenses. This checklist uses four of those. You can view existing licenses at the Admin Console Billing page. If you need additional free licenses, you can request them by completing the following steps:

  1. Sign in to Google Admin console with the super admin account created in the preceding procedure.
  2. Request additional free licenses by following this process.

1.2 If you are already google-workspace-customer

To set up Cloud Identity for existing Google Workspace accounts:

  1. Enable Cloud Identity: After you enable Cloud Identity, any user added to your organization can access Cloud Identity.
  2. Disable automatic Google Workspace licensing.
  3. If you don’t disable automatic Google Workspace licensing, all new users also receive a paid Google Workspace license, potentially causing unintended expense. You can still add paid Google Workspace user accounts after completing this step.

By default, you receive 50 licenses for the free edition of Cloud Identity. This checklist requires you to set up four users. You can view existing licenses at the Admin Console Billing page. If you need additional free licenses, request them as follows:

  1. Sign in to Google Admin console with the super admin account created in the preceding procedure.
  2. Once signed in as a super admin, you can request additional free licenses by following the process outline on this page.

2.2 Create an organization on GCP

  1. Go to the GCP Console, and navigate to the hamburger menu.
  2. Select “Organization” -> “Settings”
  3. Click on “Create organization” button
  4. Fill in the necessary details, such as name, billing account and set the organization ID
  5. Once the organization is created, you can navigate to the “Folders” page to create folders within the organization.
  6. You can assign projects and resources to the folders, which allows you to manage and enforce policies at the folder level.
  7. On the “Policies” page, you can configure policies for the entire organization, such as access control and billing.
  8. You can also set up an hierarchy structure using folders and subfolders
  9. Finally, you can invite members to your organization and assign roles to them, giving them access to specific resources and permissions.

2. How to set up New Google Workspace?

2.1 Cloud Identity on Google Workspace: Add User

  1. Log in to the Google Workspace Admin Console.
  2. In the Admin Console, navigate to the “Users” tab.
  3. Click on the “Add a user” button to create a new user or you can also import users in bulk.
  4. Once you have created the users, you can assign roles to them. You can also create custom roles if the predefined roles do not meet your needs.
  5. To set up Single Sign-On (SSO) and Multi-Factor Authentication (MFA) navigate to the Security tab and select “Advanced settings”
  6. On the “Advanced settings” page, you can enable SSO and MFA for your organization.
  7. You can also configure SSO settings and MFA methods, such as Google Authenticator or a security key.
  8. To set up access control, navigate to the “Apps” tab in the Admin Console.
  9. You can configure access to specific apps, such as Gmail and Drive, for different groups of users.
  10. To set up Cloud Identity for your GCP projects, you can use the Google Workspace Directory API. This allows you to synchronize your Google Workspace users and groups with GCP IAM policies, so that the same users and groups have the same access to GCP resources.

Set up Cloud Identity on Google Cloud:

  1. Go to the Google Cloud Console, and navigate to the hamburger menu.
  2. Select “IAM & admin” -> “IAM”
  3. Click on the “Add” button to create a new user or group. You can also import users in bulk.
  4. Once you have created the users, you can assign roles to them. You can also create custom roles if the predefined roles do not meet your needs.
  5. To set up Single Sign-On (SSO) and Multi-Factor Authentication (MFA), navigate to the hamburger menu and select “Identity” -> “Authentication methods”.
  6. On the “Authentication methods” page, you can enable SSO and MFA for your organization.
  7. You can choose from various authentication methods such as Google Accounts, SAML, or OAuth.
  8. To set up access control, navigate to the hamburger menu and select “Identity” -> “Identity-Aware Proxy”
  9. On the “Identity-Aware Proxy” page, you can enable the service and configure it for your project.
  10. To enable the Identity-Aware Proxy for specific resources, such as Compute Engine instances or Cloud Storage buckets, by going to the hamburger menu and selecting “Identity” -> “Identity-Aware Proxy”
  11. To set up Cloud Identity for your GCP projects, you can use the Cloud Identity API. This allows you to synchronize your GCP users and groups with GCP IAM policies, so that the same users and groups have the same access to GCP resources.

If you are New Customer: Follow the below process

This checklist shows steps for the free, standalone edition of Cloud Identity. To learn more about the premium edition, see Compare Cloud Identity features and editions. (If you want to use Google Workspace, you can enable it after completing your initial setup.)

Reference: Articles and Videos

https://cloud.google.com/identity

Unify identity, device, and app management with Cloud Identity

Reduce AD Dependency With Cloud Identity and Secure LDAP

Summary :

Cloud identity refers to the management of user identities and access to resources in cloud computing environments. It allows for the centralization of user information and streamlined access control to cloud-based resources, improving security and enabling seamless user experience across multiple devices and platforms.

About me — I am working as a Senior Google Cloud Architect with 14 years of experience in IT industry. I am also a multi-cloud certified professional. along with hashicorp (10x GCP).

Currently providing end-to-end google cloud solutions to vendors, Customers and Stakeholders for their digital transformation journey from on-prem to Google Cloud.

If you have any questions, you can reach out to me on

Telegram: https://t.me/growwithgcp

Twitter: https://twitter.com/bgiri_gcloud

Instagram: https://www.instagram.com/google_cloud_trainer/

LinkedIn: https://www.linkedin.com/in/biswanathgirigcloudcertified/

Facebook:https://www.facebook.com/biswanath.giri

and DM me,:) I am happy to help!!

You can also schedule 121 discussions with me on topmate.io/gcloud_biswanath_giri for any Google Cloud-related query and concerns:)

Google Cloud Platform
Security
Gcp Security Operations

--

--

Biswanath Giri
Google Cloud - Community

Written by Biswanath Giri

902 Followers

Cloud & AI Architect | Empowering People in Cloud Computing, Google Cloud AI/ML, and Google Workspace | Enabling Businesses on Their Cloud Journey

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams