Cloud Identity and Google Workspace Integration

Cloud Identity and Google Workspace provide the identity foundation for GCP. They manage users, groups, and devices — and determine who can access your GCP resources. Understanding how these services integrate with IAM is essential for enterprise GCP deployments.

---

Cloud Identity vs Google Workspace

Feature	Cloud Identity Free	Cloud Identity Premium	Google Workspace
Purpose	Identity management for GCP	Identity + device management	Productivity suite + identity
User management	Yes	Yes	Yes
Google Groups	Yes	Yes	Yes
SSO (SAML)	Yes	Yes	Yes
MFA	Yes	Yes	Yes
Device management	No	Yes (mobile + desktop)	Yes (mobile + desktop)
Email (Gmail)	No	No	Yes
Docs, Sheets, Drive	No	No	Yes
Cost	Free	~$7.20/user/month	From $7.20/user/month
GCP Organisation	Yes — creates org node	Yes — creates org node	Yes — creates org node

Which Do You Need?

• Cloud Identity Free — you just need identity management for GCP (no email or productivity apps)
• Cloud Identity Premium — you need device management (MDM) but not Google productivity apps
• Google Workspace — you want Gmail, Drive, Docs, etc. alongside GCP identity management

All three create an Organisation node in GCP, enabling central governance.

---

Setting Up Cloud Identity

Step 1: Verify Your Domain

1. Go to admin.google.com
2. Sign up for Cloud Identity Free
3. Enter your domain (e.g., example.com)
4. Verify ownership via DNS TXT record:
   TXT record: google-site-verification=xxxxxxxxxxxxxxxx
5. Domain is verified → Organisation node is created in GCP

Step 2: Create Users

Admin Console (admin.google.com):
  → Directory → Users → Add new user

Or via the Admin SDK API / Google Cloud Directory Sync (GCDS)

Step 3: Create Groups

Admin Console:
  → Directory → Groups → Create group

Example groups:
  - gcp-org-admins@example.com     → Organisation Admins
  - gcp-billing-admins@example.com → Billing Admins
  - gcp-developers@example.com     → Developers
  - gcp-security@example.com       → Security team

---

Syncing Identities from External IdPs

Most enterprises already have an identity provider (Active Directory, Okta, Azure AD). You can sync these identities to Cloud Identity using:

Google Cloud Directory Sync (GCDS)

GCDS synchronises users and groups from LDAP-compatible directories (Active Directory, OpenLDAP) to Cloud Identity:

Active Directory                    Cloud Identity
├── Users ──── GCDS sync ────────▶  Users
├── Groups ─── GCDS sync ────────▶  Google Groups
└── OUs ────── GCDS sync ────────▶  (mapped to groups or OUs)

- One-way sync: AD → Cloud Identity
- Runs on a schedule (e.g., every 30 minutes)
- Passwords are NOT synced — use SSO instead

Third-Party IdP Integration