Ensure that the identity providers (IdPs) used for Workforce Identity Federation are approved in order to securely access Google Cloud services without setting up new identities. The list with the valid, approved identity providers must be defined in the conformity rule settings, in the Trend Cloud One™ – Conformity account console.
Workforce Identity Federation enables the utilization of an external identity provider (IdP) for authenticating and authorizing a workforce, comprising users such as employees, partners, and contractors, through IAM. This allows users to gain access to Google Cloud services. Workforce pools extend this functionality to the workforce (including employees, contractors, and partners) of a GCP enterprise customer, facilitating access to cloud resources via federation protocols like OIDC and SAML, without the need to synchronize their accounts with Cloud Identity. A workforce identity pool provider establishes the connection between your Google Cloud organization and your identity provider. Following the OAuth 2.0 Token Exchange specification, workforce identity federation operates by presenting credentials from the external identity provider to the Security Token Service for verification. Upon successful validation, a short-lived Google Cloud access token is provided in return. By keeping only approved identity provider (IdP) in your Google Cloud workforce pool minimizes security risks as unauthorized IdPs could grant access to unintended users.
To determine if the identity providers (IdPs) used for Workforce Identity Federation are approved by your organization, perform the following operations:
Note 1: Getting the list of workforce pool providers used by your organization via Google Cloud Platform (GCP) Management Console is not currently supported.Note 2: As an example, the Audit process outlines the steps required to check the configuration of an SAML identity provider.
Remediation / Resolution
To remove the unapproved identity providers (IdPs) from your organization's workforce pool, perform the following operations:
Removing workforce identity pool providers from your organization via Google Cloud Platform (GCP) Management Console is not currently supported.References
- Google Cloud Platform (GCP) Documentation
- Workforce identity federation
- Manage workforce identity pool providers
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud iam workforce-pools list
- gcloud iam workforce-pools providers list
- gcloud iam workforce-pools providers describe
- gcloud iam workforce-pools providers delete