Your company wants to start using Google Cloud resources but wants to retain their on-premises Active Directory domain controller for identity management. What should you do?
A.
Use the Admin Directory API to authenticate against the Active Directory domain controller.
B.
Use Google Cloud Directory Sync to synchronize Active Directory usernames with cloud identities and configure SAML SSO.
C.
Use Cloud Identity-Aware Proxy configured to use the on-premises Active Directory domain controller as an identity provider.
D.
Use Compute Engine to create an Active Directory (AD) domain controller that is a replica of the on-premises AD domain controller using Google Cloud Directory Sync.
According to the reference, my understanding is B is correct.
And in the document(https://cloud.google.com/iap/docs/concepts-overview), it says:
If you need to create Google Accounts for your existing users, you can use Google Cloud Directory Sync to synchronize with your Active Directory or LDAP server.
Is it possible to explain why correct answer is C?
It’s simple. Domain controllers are not meant authenticate saas or web applications. This includes iam. Domain controllers speak ntlm and Kerberos.
This why we use federation. Because web apps do not speak Kerberos or ntlm. They speak languages such oauth. Hence the need for ad federation proxy
B is correct
thanks for the explanation, may I ask if we go with SAML, why need sync the useraccount? seems we just need set up the federation between cloud and on-premise
To integrate Google Cloud with your on-premises Active Directory (AD) domain controller for identity management while retaining your on-premises AD, the best approach is:
B. Use Google Cloud Directory Sync to synchronize Active Directory usernames with cloud identities and configure SAML SSO.
The most suitable option for integrating Google Cloud resources with an on-premises Active Directory domain controller for identity management is option D. This involves creating a replica of the on-premises Active Directory domain controller using Compute Engine and Google Cloud Directory Sync for synchronization.
Connect your on-premises Active Directory to Google Cloud: You can use Google Cloud Directory Sync (GCDS) to synchronize your on-premises Active Directory with Google Cloud. This allows you to use your existing Active Directory users and groups in Google Cloud.
Set up single sign-on (SSO): You can use Google Cloud Identity-Aware Proxy (IAP) to set up SSO for your Google Cloud resources. IAP integrates with your on-premises Active Directory and allows users to log in to Google Cloud using their existing Active Directory credentials.
B. Use Google Cloud Directory Sync to synchronize Active Directory usernames with cloud identities and configure SAML SSO.
To retain their on-premises Active Directory domain controller for identity management while using Google Cloud resources, the company can use Google Cloud Directory Sync to synchronize Active Directory usernames with cloud identities and configure SAML single sign-on (SSO). This will allow users to use their existing Active Directory credentials to access Google Cloud resources, while still maintaining their on-premises Active Directory domain controller as the primary source of identity management.
Option A, using the Admin Directory API to authenticate against the Active Directory domain controller, would not be a suitable solution because it would require implementing custom authentication logic in the application, which would be time-consuming and error-prone.
Option C, using Cloud Identity-Aware Proxy configured to use the on-premises Active Directory domain controller as an identity provider, would be a suitable solution, but it would not allow you to synchronize Active Directory usernames with cloud identities.
Option D, using Compute Engine to create an Active Directory (AD) domain controller that is a replica of the on-premises AD domain controller using Google Cloud Directory Sync, would not be a suitable solution because it would require setting up and maintaining an additional AD domain controller in Google Cloud, which would be unnecessary if the company wants to retain their on-premises AD domain controller as the primary source of identity management.
Go for B.
Cloud Directory Sync
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
B – use Google Cloud Directory Sync to sync Active Directory user names with cloud identities and configure SAML SSO.
Check the flowchart here illustrating integration of your existing identity management system into GCP: https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
C – does not work, since Cloud IAP serves different purpose. It s a building block toward BeyondCorp, an enterprise security model that enables every employee to work from untrusted networks without the use of a VPN.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
KouShikyou
Highly Voted 5 years, 1 month agoMikeB19
3 years, 2 months agoBill831231
3 years, 1 month agoEkramy_Elnaggar
2 days, 2 hours agoBiddlyBdoyng
2 years, 1 month agotartar
4 years, 3 months agokumarp6
4 years agonitinz
3 years, 8 months agoMeasService
Highly Voted 5 years, 1 month agoeff12c1
Most Recent 5 months, 3 weeks agosvkds
6 months, 2 weeks agoLaxmanTiwari
1 year, 6 months agovamgcp
1 year, 9 months agoomermahgoub
1 year, 11 months agoomermahgoub
1 year, 11 months agoSureshbabuK
1 year, 11 months agomegumin
2 years agoMahmoud_E
2 years, 1 month agocbarg
2 years, 4 months agoSAMBIT
2 years, 8 months agoharoldbenites
2 years, 11 months agovincy2202
2 years, 11 months agopulkit0627
3 years agoMaxNRG
3 years agoMamthaSJ
3 years, 4 months ago