
Cloud Identity - jmathai
https://cloud.google.com/identity/
======
tomashertus
I find it very interesting that it took Google such a long time to introduce
this service. They had to have a SSO implementation in place for years and
with such lucrative prices in the identity market(all products are around
$4/user a month) it is low-hanging fruit for Google and seems like obvious
step. In addition, many companies are already tight to GSuite and GMail, so I
assume another Google Service will be easy to adopt. Would be interesting to
see how this will affect Okta and other direct competitors such as Ping
Identity, Janrain and Centrify in the long term. I really like their "Google-
grade Security" marketing!

Edit: Spelling

~~~
puzzle
Yeah, I asked Eric Sachs (who runs the identity efforts at Google) and others
a few times over the years. They always directed me to Okta, Ping, etc.

~~~
kjgkjhfkjf
Eric Sachs no longer runs identity at Google. You have your explanation why
right here.

~~~
puzzle
Hah, interesting. His old site is still up
[https://sites.google.com/site/ericsachs2/](https://sites.google.com/site/ericsachs2/)
but at least his LinkedIn page is up to date. Thanks!

------
manigandham
This is for companies to manage access for their own employees and other
corporate users. If you use G-Suite, then you already have this and can login
with your company email account to many external apps without a separate
password.

It makes sense that Google is extracting it into a separate product but most
companies just stick with whatever their productivity software provider is,
like G-Suite or Microsoft Office 365. Many companies also use OneLogin or Okta
for extra customization on top of G-Suite/O365.

~~~
dragonwriter
> It makes sense that Google is extracting it into a separate product but most
> companies just stick with whatever their productivity software provider is,
> like G-Suite or Microsoft Office 365.

While available standalone, this is explicitly pitched also as an upgrade
(Premium Edition) to what is included with GSuite (which is Cloud Identity
Free Edition).

~~~
manigandham
Yes, like I said most companies pick onelogin/okta for that layer on top,
which have even more features and customization. It's also further complicated
by the fact that GSuite and Office 365 have multiple tiers with more identity
features and the Cloud Identity Premium edition seems to be 90% about mobile
device management.

------
kyrra
This seems to be a single product of many things announced today. There were 2
Cloud blog posts covering things that happened[0][1].

It seems to all be GSuite/Cloud focused, but there are some big things in
there if you use these. Stuff like FedRAMP Rev. 4, Access Transparency
reporting, security partnerships, and other stuff.

[0] [https://cloudplatform.googleblog.com/2018/03/introducing-
new...](https://cloudplatform.googleblog.com/2018/03/introducing-new-ways-to-
protect-and-control-your-GCP-services-and-data.html)

[1] [https://cloudplatform.googleblog.com/2018/03/expanding-
our-G...](https://cloudplatform.googleblog.com/2018/03/expanding-our-Google-
Cloud-security-partnerships.html)

------
akurilin
Wish this had come out a few months back when we rolled out Okta to the entire
org and moved away from Google being the main identity provider.

Wonder if it's worth now to roll that back and have Google be the point of
entry?

One of the things that I appreciate about Okta is that it sends pretty clear
onboarding and 2FA enabling instructions, which I believe G Suite left up to
you. Signup into a 2FA-mandated G Suite account was always tricky, having to
use recovery codes to get in for the first time. It was terrifying to non-
technical users.

The one advantage I can think of, of Google vs Okta/auth0 etc is that most
SaaS products seem to give you Google SSO for free, but charge the full
enterprise pricing for SAML. e.g. Asana and Slack will not let you SAML from
Okta unless you upgrade to their most expensive tier, but Google SSO is always
free.

~~~
pm90
My personal advice: don't move back unless you have a good reason to. If
you're a big enough customer to talk directly to a Google sales person, use
that as a bargaining chip to get a cheaper offer.

------
bognition
Frankly I'm surprised its taken google so long to release this. I've used Okta
for years and love it. Not only does it make it easy for an org to revoke a
users credentials across the board it makes it easier for users to log into
every service without remembering another password.

------
askvictor
Do I understand correctly that this is basically G-Suite without the apps? Or
are there extra features in this (if so, are those coming to G-Suite as well?

I recently redid the identity system for my organisation. Despite using
G-Suite as our productivity platform, we ended up going with AzureAD for our
identity services for these reasons:

* We needed RADIUS services. No way to get those from Google. It's messy with AzureAD (you need to run AzureAD Domain Services and an NPS server in a VM), but possible.

* A lot of SAML app vendors only seem to know about the existence of (i.e. have built their SAML implementation based around) ADFS (which is close enough to AzureAD). Those either outright didn't work with Google, or involved a messy workaround and a heap of time.

* G-Suite only allows for OU-based access control to SAML apps (unless you want to implement and maintain some code to do this for you, which kind of defeats the point of cloud-based identity IMO). AzureAD can do this by groups or even ad-hoc users.

~~~
manigandham
This is an extra service, the same way you can use Onelogin or Okta on top of
G-Suite to do federation and syncing.

There's a free tier which is already included in G-Suite or Google Cloud and
the premium tier which has more control:
[https://support.google.com/cloudidentity/answer/7319251](https://support.google.com/cloudidentity/answer/7319251)

~~~
askvictor
Still not entirely certain of the link between this and G-Suite. Do I
understand correctly that G-Suite includes Cloud Identity (Free edition), but
Premium addition is an optional add on to G-Suite? But both Free and Premium
versions of Cloud Identity can be used without a G-Suite subscription? So the
Free version is basically G-Suite without the productivity Apps? The site
doesn't really make it clear what the Free Tier does, and seems to be pushing
hard to sign up for the Free trial of premium.

~~~
manigandham
Yes, yes and yes. The marketing sucks and the documentation is a confusing
mess, but this is what it looks like:

1) Cloud Identity Free = User accounts, SSO, with Google or external identity
provider.

2) Cloud Identity Premium = Advanced user management, device control,
compliance, reporting, etc.

3) G-Suite Productivity Apps

4) Google Cloud Platform

G-Suite or GCP include Identity Free Edition, but you can use Identity on its
own. And then you can always upgrade it to Premium edition for more control.

[https://support.google.com/cloudidentity/answer/7431902](https://support.google.com/cloudidentity/answer/7431902)

------
AhtiK
I keep wondering why is the pricing of this, auth0 etc so high, is this mostly
for the employees and smaller groups? I can't see paying $6/mo/user to manage
users for a non-enterprise SaaS offering.

~~~
Touche
It's so bizarre there must be some mistake. Does this do significantly more
than AWS Cognito which free for the first 50k users?
[https://aws.amazon.com/cognito/](https://aws.amazon.com/cognito/)

This price point doesn't make sense outside of the niche SaaS offerings that
can charge in the thousands per month.

~~~
moduspwnens14
Cognito doesn't address the same use case.

You're seeing Cognito User Pool pricing. Cognito User Pools is basically
having AWS host your user / password / details database for an app you're
building. It takes care of some details like verifying e-mail addresses /
phone numbers and integrates with Cogito Federated Identities, which makes it
easy for your app to (for example) allow login via Google, Facebook, or an
account they create (which is stored in that user pool).

This Google service looks more comparable to Okta or auth0. That is like if
you're a sysadmin at a big company and you want one place where your users can
be authenticated, which can then allow access to all of the web apps you use
(Dropbox, Salesforce, Gmail, etc.).

EDIT: And to tie them together a little:

If you were building a web app using Cognito, you could likely add a federated
identity via Okta, auth0, or this Google service, which would then allow your
users to log in directly to your service through that without having to create
/ manage an account separately.

------
arca_vorago
This seems promising. I've been the google superadmin on a few companies and
the fight between AD/LDAP and other services and online applications was
always hackish. I wonder if the sync is still using this:
[https://support.google.com/a/answer/106368?hl=en](https://support.google.com/a/answer/106368?hl=en)

The benefit was that AD was the authority, so companies still felt "in
control". If Cloud Identity is moving authority over to google, that might be
an issue, but if it does it _well_ , probably not so much.

The entire LDAP/AD/SSO area is ripe for disruption, because far too many
companies are trying to be google and force it all online. Many companies
would just be happy with a robust on-premise solution that could replace or
augment the others completely.

Don't get me started on radius...

~~~
r00fus
LDAP/AD and SSO are two different beasts. Everyone uses SAML in my experience
and it's a bit clunky but it works and the edge cases are fairly well known.

Is this actually a competitor to AD?

~~~
arca_vorago
I don't think it's designed as a competitor to AD, but rather to smooth the
AD-cloud user transition, especially as more and more companies buy into SaaS
like O365/GApps, etc.

You are right about SAML of course, but my point is how the lines between
SSO/SAML etc and AD/LDAP etc are getting blured because companies want them to
essentially work as a single unit.

Here are a couple of the interesting alternatives in the arena:

[https://github.com/apereo/cas](https://github.com/apereo/cas)

[https://www.univention.com/products/ucs/](https://www.univention.com/products/ucs/)

[https://www.shibboleth.net/](https://www.shibboleth.net/)

[https://wso2.com/](https://wso2.com/)

One of my planned side projects is to test each of these.

------
polskibus
How does this compare to auth0 ([https://auth0.com/](https://auth0.com/)). Is
this a direct competitor?

~~~
scrollaway
Didn't Google already have an SSO solution? I'm using it in GSuite at our
company. Or was it restricted to only GSuite?

Edit: BTW, I see this can be set up for Github Business. Does github.com not
support SAML?

~~~
manigandham
Yes, G-Suite/Google Cloud all use the same system. This is just extracted for
companies to use without G-Suite or Google Cloud.

~~~
scrollaway
Doesn't that mean it's cheaper to just use GSuite than to use this?

~~~
manigandham
Yes. I don't see a large scenario where a company isn't already using G-Suite
or Office 365 and the higher tiers include all the compliance and management
features. Usually if they need more customization then they use OneLogin or
Okta on top, or build their own system.

------
nartz
If any google developers are out there - it would be great to be able to try
this service out without having to type in a ton of information to get started
- i just want to log in and see how it works - how it compares to IAM, auth0,
etc.

------
staticfish
For the uninformed, how is this different to implementing Google Oauth?

------
eyepulp
I don't see Gitlab explicitly listed as a supported service, but wonder if
that would be supported or require google or gitlab to make the integration
happen. (This is on a GL EE instance we manage).

And what about public-facing web apps developed in-house? Can we add SAML
integrations that would work with this for employee access?

These are probably basic questions, but I couldn't seem to find the details on
the site.

~~~
manigandham
Gitlab already has several plugins for auth, for example you can use OmniAuth
to have users login with an external identity provider:
[https://docs.gitlab.com/ee/integration/omniauth.html](https://docs.gitlab.com/ee/integration/omniauth.html)

No extra products needed if they're already using one of those supported
providers. OpenID Connect makes things much simpler than traditional SAML
unless you need all the extra enterprise provisioning features.

~~~
eyepulp
Ah - cool. That makes sense!

------
dvh
Technical note: when you submit post about Google service on HN always write
in the title whether it is new service or cancelled service. Thank you.

~~~
rdsubhas
beta or tata.

------
johns
I think this is the result of the Bitium acquisition.

------
altmind
just last week i worked on integrating google4business and aws login. in the
end of the day, i spend half of a day and had never made this work.

one of the steps of their's guide required to create oauth application, assign
it some specific scopes and use their api browser to submit some jsons to
create some custom attributes for the company users. i spend the whole time
figuring out how their oauth works and why their api endpoint authentication
never worked for me.

the whole experience left me with a feel of extreme complexity and I feel
completely lost in oauth and SAML.

i just checked the guides and it seems there are no changes to the aws
integration guide - integration mechanism for aws is still the same :(

------
singhrac
Anyone else notice that they're now rolling out Product Sans / Google Sans on
new branding pages (News Initiative, here, etc.)? I personally like it a lot,
but I wish I could use it (I guess I can always use Futura and tinker a bit).

------
tambourine_man
Page is broken on iPhone SE. Overflow hidden larger than viewport.

Unfortunately, poor mobile usability on their dev sites is very common for
Google, which is something I could never understand

------
relaunched
Is this a re-brand of Google's Beyond Corp?

~~~
manigandham
Beyond Corp isn't a product, it's a security model where you treat everything
as a publically accessible resource without any special intranets, VPNs or
other gateways.

Employees use your apps the same way your customers do. Internal apps would
obviously be limited to company accounts, but this simplifies security and
deployment by reusing the same infrastructure and oversight across both public
and private apps.

~~~
relaunched
It also might be a product, Google's Identity Aware Proxy (IAP).
[https://cloud.google.com/iap/](https://cloud.google.com/iap/)

~~~
manigandham
Sure. It's not a BeyondCorp product but a way to implement the BeyondCorp
security model.

These are all separate pieces of architecture:

1) Corporate user database with access rights and permissions. This can be
Google's G-Suite if you're already using it or this new Cloud Identity
product.

2) Access to external corporate apps (like Salesforce) using OpenID or SAML
connections with the above mentioned user system.

3) Access to internal or custom-built corporate apps (like a sales dashboard).
You can use the APIs and build it into your app or use the IAP product to act
as a smart firewall that will handle the authentication for you and just give
your app a simple HTTP header with the user's name/email so you don't need to
build any user auth in the app itself.

------
andridk
How does this compare to Firebase Auth?

~~~
bpicolo
Entirely different, this is an okta/onelogin competitor.

------
tammer
Anyone compared this to Azure AD?

------
joeblau
Is this like One Login?

~~~
manigandham
Yes

------
therealmarv
Bad timing

------
horsecaptin
It is becoming more and more difficult to trust companies that have their
fingers in too many pies.

------
hoodoof
The linked page is not clear on what this actually is. Which AWS service is it
the same as?

~~~
Yeroc
Not sure about AWS but it looks like an answer to Microsoft's Azure AD hosted
services.

------
gumby
Given the recently revealed consequences of people using a major third party
(Facebook) for user authentication is this really going in the right
direction?

~~~
gk1
This is about managing the identities and permissions of employees, not end-
users.

~~~
gumby
I do understand that, but you are outsourcing a linchpin of your
infrastructure to a third party. Are these identities completely disjoint with
regular google ones or are they comingled (i.e. do you need two different
browsers to read your work gmail and your personal gmail?)

~~~
icebraining
Yes, they are disjoint, and no, you don't need two browsers, Gmail can handle
two different accounts in the same browser simultaneously nowadays.

------
Tepix
Please don't force your users to identify themselves to Google or Facebook.

Always provide an alternative.

~~~
jfasi
> users

I'm pretty sure this is aimed at enterprise applications.

~~~
Tepix
Forcing your employees to be tracked by Google is even worse. They can hardly
opt out.

I wouldn't be surprised if it's illegal in Europe if a company forces this
upon its employees.

~~~
lagadu
You don't get it: this is enterprise software. People would login (and only
have access) with their enteprise accounts, not their personal ones.

~~~
natch
I think he/she gets it. It is possible to run your enterprise without using
Google software that forces users to pour even more of their data into
Google's grasp.

So I think the OP was saying that it would be desirable for those enterprises
to allow employees an alternative, for those who do not wish to share even
more with Google.

~~~
Gigablah
Why does it matter whether _they_ want to share their _work_ data with Google?
It's their company's decision. Their company owns the data.

I hope you realize the insanity of the following exchange:

"Bob, you should enter your sick leave in Workday."

"But I don't want that company know about my sick days. Can I use something
different instead?"

~~~
icebraining
Actually, that example doesn't sound at all insane to me. What if Workday then
sells the information that I'm sick a lot to future prospective employers or
to health insurers? The employer should have a duty to adequately protect that
information. It's not just "their" data.

~~~
mr_toad
I don’t know about the US law on confidential employee data, but in some
countries selling data like that would be an open and shut lawsuit (against
both Google _and_ the employer).

