GCP Professional Cloud Security Engineer Practice Question
Your organization is deploying Google Cloud Directory Sync (GCDS) to provision users and groups from its on-premises Active Directory but wants every sign-in to Google Workspace and the Cloud Console to occur against the existing Okta tenant. During a design review, you are asked to clarify what role SAML 2.0 plays in this solution. Which statement correctly describes how SAML enables single sign-on in this architecture?
SAML makes Google Cloud the primary identity provider, so user passwords must be stored in Google and synchronized back to Okta after each successful login.
SAML creates a bidirectional directory synchronization between Okta and Google, eliminating the need for Google Cloud Directory Sync and handling both provisioning and authentication.
SAML is used only to encrypt passwords before GCDS pushes them to Google; the actual authentication step still occurs in Google Cloud using the replicated password hash.
SAML allows Google Cloud to act as the service provider, redirecting users to Okta (the identity provider) for authentication and trusting the returned SAML assertion that conveys the user's identity and attributes without exposing their password to Google.
In Google's standard SAML implementation, Google Cloud and Google Workspace operate as the SAML service provider (SP). When a user attempts to access a Google application, Google immediately redirects the browser to the configured external identity provider (Okta) for primary authentication. Okta (the IdP) validates the user's credentials and, if successful, returns a signed SAML assertion to Google that contains the user's identity-and optionally group or role attributes-so Google can establish a session. No passwords or password hashes are stored or replicated in Google, and GCDS remains strictly a directory-provisioning tool rather than an authentication mechanism. The other options are wrong because Google never acts as the IdP in this flow, SAML does not replicate passwords, and it does not replace the need for GCDS when you still require account and group objects to exist in Google's directory.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of SAML in single sign-on (SSO)?
Open an interactive chat with Bash
How does Google Cloud Directory Sync (GCDS) differ from SAML in this setup?
Open an interactive chat with Bash
Why is Okta considered the IdP in this architecture?
Open an interactive chat with Bash
How does SAML 2.0 enable single sign-on (SSO) in this setup?
Open an interactive chat with Bash
What is the role of GCDS in this architecture?
Open an interactive chat with Bash
Why don’t passwords or password hashes get stored in Google Cloud in this flow?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .