Introducing Workforce Identity Federation to easily manage workforce access to Google Cloud
Sid Mishra
Product Manager, Google Cloud
At Google Cloud, we’re focused on giving customers new ways to strengthen their security posture. Managing identities and authorization is a core security control that underpins interactions inside and collaboration outside the organization. To address fraud, identity theft, and other security challenges associated with the proliferation of online accounts, many organizations have opted to use centralized identity provider (IdP) products that can help secure and manage identities for their users and SaaS applications, and we want to strengthen support for these solutions and the use cases they support.
Today we’re pleased to announce Workforce Identity Federation in Preview. This new Google Cloud Identity and Access Management (IAM) feature can rapidly onboard workforce user identities from external IdPs and provide direct secure access to Google Cloud services and resources. Workforce Identity Federation uses a federation approach instead of Directory Synchronization, the method currently used by most organizations for onboarding Google Cloud identities. Workforce Identity Federation provides flexibility to support third-party collaboration use cases and business requirements that can be better addressed by using a localized, customer-managed IdP.
Federating existing identities eliminates the need to maintain separate identities across multiple platforms. This means that organizations using Workforce Identity Federation no longer need to synchronize workforce user identities from their existing identity management solutions to Google Cloud. IdPs can include Identity-as-a-Service (IDaaS) and directory products such as those from ForgeRock, Microsoft, Okta, JumpCloud, or Ping Identity.
Workforce Identity Federation is another example of how we are working to make Google Cloud’s Invisible Security vision a reality, in this case delivering secure access leveraging customers’ current identity and access management solutions without the need for redundant user administration.
VMware is one of our customers using Workforce Identity Federation in Preview. Thiru Bhat, director at VMware, explained why he’s excited for the new feature.
VMware runs its own IdP and we needed a solution to allow our developers to access their Google Cloud projects while maintaining corporate control over identities and permissions. Syncing of user identities outside of our IdP is not permitted per our InfoSec policies and we deployed Google Cloud's Workforce Identity Federation to fulfill our identity requirements. Workforce Identity Federation feature meets our needs with a solution that is robust and straightforward to configure.
Here’s a closer look at a few use cases and the benefits from the new Workforce Identity Federation.
Use case: Employee sign-in and authorization
Streamlined authentication experience with fine-grained access control
Workforce Identity Federation can enable your organization's users to access Google Cloud through the same login experience they already use for their existing IdP for single sign-on. Workforce Identity Federation also can enable fine-grained access through attribute mapping and attribute conditions. Attributes — which some IdPs call claims — contain additional information about users.
Google Cloud can use these attributes to further inform authentication decisions. Attribute mapping lets your administrators map identity attributes that are defined in your IdP to those that Google Cloud can use. Your administrators can configure Google Cloud with attribute conditions to authenticate conditionally — to let only a subset of external identities authenticate to your Google Cloud project based on attributes.
For example, your administrators might want to let only those employees who are part of the accounting team sign in. To do this, your administrators can configure an IdP attribute, such as EmployeeJobFamily. Using attribute mapping, they could map this attribute to a similar attribute in Google Cloud, such as employee_job_family
. Then, they could configure an attribute condition, assertion.employee_job_family=="accounting"
.
Use case: Secure access for partners and vendors
Restricted and secure access to Google Cloud services from a partner or vendor that has their own IdP and associated privacy and data policies
Today, the modern enterprise depends on partners and vendors more than ever. Partners and vendors can help scale enterprise workflows, but they also can introduce new complexities for IT teams, such as how to secure partner or vendor identities in addition to the rest of their enterprise users.
Workforce Identity Federation can enable enterprises to selectively federate users from partner or vendor IdPs without requiring enterprise IT teams to sync or create a separate identity store to use Google Cloud resources.
One common scenario where Workforce Identity Federation can help is when a company hires a partner or vendor to provide outsourced development services using cloud resources (such as when Google Kubernetes Engine (GKE) DevOps services are outsourced to a partner.) The company creates a separate workforce pool for the partner or vendor’s administrator, who can then use their own IdP to grant access to their workforce.
This use case can also help support organizations who have requirements to store and maintain identity information locally in support of data residency or digital sovereignty initiatives. By using a local IdP, either customer-managed or partner-managed, and federating identities to Google Cloud, organizations can further strengthen control over their identity information.
Seamless experience for users, easy access management for administrators
Before Workforce Identity Federation, organizations would need to duplicate user identities from their IdP by creating user accounts in Google Cloud Identity. Workforce Identity Federation can help you access Google Cloud without having to first create Cloud Identity user accounts. It also reduces toil by eliminating the need to maintain two separate identity management systems.
Identity providers such as ForgeRock see tremendous value in the Workforce Identity Federation, and how Google Cloud can work with them to jointly help customers manage workforce identities. Peter Barker, ForgeRock’s Chief Product Officer, said that his company’s partnership with Google Cloud makes identity management easy and secure for administrators and users alike.
“Our strategic partnership with Google Cloud delivers great value to our customers and we’re excited to continue to expand our relationship. This integration with Google Cloud Workforce Identity Federation enables ForgeRock customers to leverage their current IAM investments and makes it easier for employees, contractors, and partners to securely access Google Cloud resources.”
Getting started with Workforce Identity Federation
Workforce Identity Federation is now available in Preview to customers already using Google Cloud. You can learn more about Workforce Identity Federation by visiting our webpage and watching this video.
Please contact your account manager to see if workforce identity federation is the right fit for your organization. And, you can get started with these new capabilities today using our product documentation.