GCP Professional Cloud Security Engineer Practice Question

Your organization uses an on-premises Active Directory that is synchronized to Azure AD. Security policy forbids storing user passwords outside the corporate IdP, yet engineers must sign in to the Google Cloud Console and the gcloud CLI with their existing user principal names (UPNs). A Cloud Identity tenant has already been created and the corporate DNS domain is verified. Which approach meets these requirements while keeping administrative effort low?

Create a Workload Identity Federation pool that trusts Azure AD and have engineers use gcloud auth login --workforce-pool-user-token; no changes to SAML settings are required.
Generate a user-managed service account key for every engineer and instruct them to run gcloud auth activate-service-account when they need console or CLI access.
Enable password synchronization in Google Cloud Directory Sync so hashed passwords are copied from Active Directory to Cloud Identity, allowing users to authenticate directly with Google.
Configure Cloud Identity for SAML 2.0 single sign-on with Azure AD, setting the UPN as the SAML Subject (NameID) and enabling Google-initiated (SP-initiated) SSO for the verified domain.

Report Issue

Answer Description

To keep passwords only in the corporate IdP and still let engineers authenticate to Google-hosted services, Google Cloud must act as a SAML 2.0 service provider and delegate authentication to Azure AD. This is done by enabling third-party SSO in Cloud Identity, importing Azure AD's SAML metadata, and configuring Azure AD to send the user's UPN as the SAML Subject (NameID). After the trust is in place, users start at the Google sign-in page (SP-initiated flow); Google redirects them to Azure AD for authentication and accepts the signed assertion to create a session.

Incorrect answers:

GCDS never synchronizes passwords, so enabling it cannot satisfy the requirement and would still leave authentication at Google.
Distributing user-managed service-account keys gives non-human credentials, does not produce interactive console sessions, and exposes long-lived secrets.
Workload Identity Federation is designed for non-human workloads; engineers cannot open the Cloud Console with those tokens, and extra configuration would exceed the requested minimal overhead.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.