Your customer is moving an existing corporate application to Google Cloud Platform from an on-premises data center.
The business owners require minimal user disruption.
There are strict security team requirements for storing passwords.
What authentication strategy should they use?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Provision users to Google's directory The global Directory is available to both Cloud Platform and G Suite resources and can be provisioned by a number of means.
Provisioned users can take advantage of rich authentication features including single sign-on (SSO), OAuth, and two-factor verification.
You can provision users automatically using one of the following tools and services: Google Cloud Directory Sync (GCDS) Google Admin SDK - A third-party connector - GCDS is a connector that can provision users and groups on your behalf for both Cloud Platform and G Suite.
Using GCDS, you can automate the addition, modification, and deletion of users, groups, and non-employee contacts.
You can synchronize the data from your LDAP directory server to your Cloud Platform domain by using LDAP queries.
This synchronization is one-way: the data in your LDAP directory server is never modified.
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#authentication-and-identityThe best authentication strategy for this scenario is to federate authentication via SAML 2.0 to the existing Identity Provider (option B).
Federated authentication allows users to authenticate to Google Cloud Platform using their existing corporate credentials. This means that users do not need to create new accounts or remember additional passwords, minimizing user disruption. Additionally, this approach enables the organization to maintain control over user access and permissions.
SAML 2.0 is a widely adopted standard for federated authentication. It allows for secure exchange of authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). In this case, the on-premises corporate IdP would be the source of truth for user authentication, and Google Cloud Platform would be the SP.
Using G Suite Password Sync (option A) would replicate passwords into Google, but this approach does not support federated authentication and requires additional effort to manage password synchronization. Furthermore, storing passwords in this way may not meet the security team requirements for password storage.
Provisioning users in Google using the Google Cloud Directory Sync tool (option C) is a viable option, but it may require users to remember and manage additional passwords, which could lead to user disruption. Additionally, this approach would require ongoing management and synchronization of user data between the corporate directory and Google.
Asking users to set their Google password to match their corporate password (option D) is not recommended because it may not meet the security team's requirements for password storage. Furthermore, this approach would require users to remember and manage yet another password, which could lead to user disruption.
In summary, federating authentication via SAML 2.0 to the existing Identity Provider is the best authentication strategy for this scenario because it minimizes user disruption, enables the organization to maintain control over user access and permissions, and supports secure password storage.