Google Cloud Platform federation options in Azure Active Directory

Introduction

This article describes at high-level the Google Cloud Platform federation options in Azure Active Directory.

You may come across an implementation scenario in which you will need to utilize the customer's Google Cloud Platform (GCP) directory as an Identity Provider when consuming Azure services. This contradicts to the default case in which Azure AD is both an Identity Provider (IDP) and a Service Provider (SP), i.e. both the Authentication/Authorization/Accounting (AAA) directory and the service provider. Let's briefly discuss the two main options when authenticating to Azure services, taking Google Cloud Platform in mind. Similar design approaches should be made with other supported public cloud services, such as Amazon Web Services (AWS).

Option 1: Use Azure AD (Microsoft Entra ID) as the Identity Provider (IDP)

In this option (Azure default), both the service authentication/authorization/accounting (AAA) and the service provisioning is managed by Azure. Federation and Google Apps connectors are utilized to achieve Google Cloud to Azure integration. The AAA part is managed by Azure AD, as explained in the following articles in more detail:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial

https://cloud.google.com/architecture/identity/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on

Option 2: Use Google Cloud Platform directory as the Identity Provider (IDP)

In this second option, the customer may wish to retain their Google Cloud Platform directory services and their user identities in the Google Cloud Platform and authenticate to Azure by using their existing GCP identities. Google Cloud Platform directory can be configured to utilize Single Sign On (SSO) in order to authenticate to Azure AD and afterwards let users consume Azure services. In this case, the Google Cloud Platform functions as the Identity Provider (IDP).

The above scenario is feasible via Azure Active Directory External Identities (https://azure.microsoft.com/en-us/services/active-directory/external-identities/). Azure AD External Identities is a bundle of directory services and features under Azure AD which allow external directories to federate with Azure AD. Pricing details for Azure AD External Identities is provided in the following article (https://azure.microsoft.com/en-us/pricing/details/active-directory/external-identities/).

Azure AD External Identities provides the following alternative options for integration with Google Cloud Platform:

  1. Utilize an external directory (Google Cloud Platform is fully supported) as Identity Provider (IDP) and Azure AD as Service Provider (SP) by using the SAML/WS-Fed protocols (https://docs.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation). This services is currently in public preview phase and will soon be in general availability phase (https://docs.microsoft.com/en-us/learn/modules/describe-service-life-cycle-microsoft-365/2-private-public-general-availability).
  2. Utilize Google Federation as detailed in the following article (https://docs.microsoft.com/en-us/azure/active-directory/external-identities/google-federation).

Sources

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp

https://journeyofthegeek.com/2018/01/24/integrating-azure-ad-and-google-apps-single-signon/

https://www.microsoft.com/en-us/download/details.aspx?id=56843