GCP Professional Cloud Security Engineer Practice Question
Your company uses Google Workspace with users and groups synchronized from an on-premises Microsoft Active Directory domain through Google Cloud Directory Sync (GCDS). Security architects now have two additional requirements:
Internal employees must continue to sign in with their on-premises credentials when accessing Google Cloud services.
External consultants whose identities live in the partner's Azure AD tenant must be able to access the Google Cloud Console for a single project without creating or synchronizing local accounts, and their credentials must remain short-lived.
Which solution satisfies both requirements while following Google-recommended identity security practices?
Keep GCDS for provisioning, configure Google as a SAML service provider that delegates employee logins to AD FS, and create a Workforce Identity Federation pool with an Azure AD SAML provider for the consultants.
Create break-glass super-administrator accounts and share them with the partner; configure OpenID Connect sign-in for employees through Google OAuth.
Enable GCDS password synchronization so employees authenticate directly with Google, and add the partner's Azure AD tenant to Cloud Identity as a secondary domain.
Replace GCDS with a SCIM-based connector, then set up Workload Identity Federation for the partner so their users obtain service account tokens.
SAML single sign-on (SSO) allows Google to redirect authentication for your existing Workspace accounts to the corporate AD FS IdP, so employees use their on-premises passwords while the GCDS-provisioned accounts and groups remain intact. Workforce Identity Federation lets Google Cloud trust an external IdP (such as Azure AD) and issues short-lived Google-signed tokens to those users at sign-in, eliminating the need to create or sync separate Google accounts for the consultants. This combination meets both stated needs. The other options either fail to meet the "no new accounts" requirement, do not delegate authentication to AD FS, or introduce insecure practices such as sharing super-administrator credentials.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SAML and why is it useful for single sign-on (SSO)?
Open an interactive chat with Bash
What is Workforce Identity Federation and how does it work?
Open an interactive chat with Bash
Why is using GCDS with SAML better than enabling password sync for Google Workspace authentication?
Open an interactive chat with Bash
What is GCDS and how does it help synchronize identities?
Open an interactive chat with Bash
What is Workforce Identity Federation and how does it work?
Open an interactive chat with Bash
Why is SAML used for single sign-on (SSO) in this solution?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .