Exam Professional Cloud Security Engineer topic 1 question 4 discussion

Answer. is A. B is just the method of authentication, all the heavy lifting is done in A

Correct Answer is A as explained here https://www.udemy.com/course/google-security-engineer-certification/?referralCode=E90E3FF49D9DE15E2855 "In order to be able to keep using the existing identity management system, identities need to be synchronized between AD and GCP IAM. To do so google provides a tool called Cloud Directory Sync. This tool will read all identities in AD and replicate those within GCP. Once the identities have been replicated then it's possible to apply IAM permissions on the groups. After that you will configure SAML so google can act as a service provider and either you ADFS or other third party tools like Ping or Okta will act as the identity provider. This way you effectively delegate the authentication from Google to something that is under your control."

Explanation: Cloud Directory Sync (CDS) is the crucial first step. It's the mechanism that synchronizes your on-premises Active Directory groups with your Google Cloud environment. This allows GCP to recognize and utilize the group structures already defined in your AD. Once the groups are synced, you can then: Create IAM roles with the appropriate permissions for your GCP resources. Grant those IAM roles to the synced AD groups. This effectively ties your existing AD group structure directly to the authorization levels within your GCP environment. Why SAML 2.0 SSO alone is insufficient: While SAML 2.0 SSO is essential for single sign-on capabilities (allowing users to access GCP with their existing AD credentials), it doesn't directly address the core requirement: managing GCP IAM permissions based on existing AD group memberships.

Answer is B. "Centrally manage from their ...", so, SAML and manage in the on-premise AD

the correct answer is indeed A as Cloud directory sync is the best approach

Cloud directory sync is for this purpose.

Correct Answer is A. The keyword is on-prem AD groups which can be synced using Google Dir Sync which then you can apply IAM roles in it.. Without Google Dir Sync, how can you pull the on-prem AD groups? Without it, SSO solution will not work.

Correct answer is A.

answer is A

Answer is A. GCP Cloud Skills Boost has an exact example on this using the fictitious bank called Cymbal Bank, and clearly call out the GCDS process to push Microsoft AD/LDAP into established Users and Groups in your GCP identity domain

Using third-party IDP connectors for sync Many identity management vendors (such as Ping and Okta) provide a connector for G Suite and Cloud Identity Global Directory, which sync changes to users via the Admin SDK Directory API. The identity providers control usernames, passwords and other information used to identify, authenticate and authorize users for web applications that Google hosts—in this context, it’s the GCP console. There are a number of existing open source and commercial identity provider solutions that can help you implement SSO with Google. (Read more about SAML-based federated SSO if you’re interested in using Google as the identity provider.)

A will do

With A the user and groups management is done in AD as it's asked.

The question clearly states that, centrally manage. So, Cloud Sync is correct one.

A is correct for me

SSO will only validate identity, that doesn't sync the groups! Answer is A

The correct answer is A