We are excited to announce new security features, management options, and product integrations for Workforce Identity Federation, our Identity and Access Management offering that allows you to rapidly onboard user identities from external identity providers (IdPs) for direct, secure access to Google Cloud services and resources.
Workforce Identity Federation is built on an identity federation approach instead of Directory Synchronization, an option which can simplify identity lifecycle management for the cloud by leveraging your existing identity systems.
We are using Workforce Identity Federation to provide flexible workforce access for our Google Cloud environment. Before using Workforce Identity, if we wanted to grant user-level access to our data warehouse in BigQuery, we had to synchronize our user directory with Google Cloud and have users log into Google Cloud… Workforce Identity Federation enabled us to grant individual fine-grained, user-level access to BigQuery using our existing identity provider without requiring us to onboard our users to Google Cloud. This saved us significant administrative overhead.
Ming Ng, managing director and technology fellow, Goldman Sachs
Goldman Sachs has already empowered their users by enabling access to BigQuery using Workforce Identity Federation. Ming Ng, managing director and technology fellow at Goldman Sachs, explained why Goldman Sachs started using Workforce Identity Federation.
“We are using Workforce Identity Federation to provide flexible workforce access for our Google Cloud environment. Before using Workforce Identity, if we wanted to grant user-level access to our data warehouse in BigQuery, we had to synchronize our user directory with Google Cloud and have users log into Google Cloud,” said Ng. “Workforce Identity Federation enabled us to grant individual fine-grained, user-level access to BigQuery using our existing identity provider without requiring us to onboard our users to Google Cloud. This saved us significant administrative overhead.”
Here’s what’s new in Workforce Identity Federation:
New security and management capabilities
For OpenID Connect (OIDC) providers, Workforce Identity Federation now supports authorization code flow and implicit flow. Authorization code flow is considered to be more secure because tokens are returned from the IdP in a separate, secure backend transaction directly from the IdP to Google Cloud after the user has been authenticated. As a result, code flow transactions support more claims to use for attribute mapping and attribute conditions. Please see our documentation for details.
Customers who use a SAML-based identity provider are now able to leverage SAML token encryption to encrypt the SAML assertions. When configured, Workforce Identity Federation will encrypt the SAML assertions using the public key from the IdP-stored certificate. Encrypting SAML assertions can protect confidential user information and adds an extra layer of security to Workforce Identity Federation. For a step-by-step guide to enable your SAML 2.0 IdP encrypted SAML assertions to be accepted by Workforce Identity Federation, please see our documentation.
In addition to Google Cloud console access, Workforce Identity Federation now supports programmatic access to Google Cloud services and resources through the API and CLI. We added browser-based sign-in with the gcloud CLI to enable you to create a sign-in configuration file, and then either reference the file in calls to gcloud auth login or activate it so that it is used by default. We have documented detailed configuration steps to help you get started.
Expanding Workforce Identity Federation support to new products
We continue to expand the list of Google Cloud products that support Workforce Identity Federation. Updates include:
Google Kubernetes Engine (GKE) customers are able to use the identities from an OIDC or SAML 2.0 supported external identity provider to manage their GKE environments.
Chroniclesupports Service Provider Initiated SAML SSO for users. With this capability, users can navigate directly to Chronicle. Chronicle issues a request through Workforce identity federation to the third-party IdP.
Cloud Storage supports Workforce Identity Federation customers to use their third-party IdP for authentication to access the major GCS public APIs and console experiences.
Cloud Billing now enables customers using Workforce Identity Federated to access key billing information; including the cost overview page, cost management, cost optimization, and account management via the federated console.
To see all the new Google Cloud services that support Workforce Identity Federation, please refer to our documentation.
We are excited to share that Goldman Sachs will be presenting at Google Cloud Next ‘23 to discuss their use of Workforce Identity Federation. Please join us at “How Goldman Sachs achieved identity-first security using Google Cloud” to hear what they have been able to accomplish.
Cloud BlogRead More