Open fmichaelobrien opened 2 years ago
20220829: AAD federation option 2: Use Federation with an External Identity provider | sub-Option 1: Consolidate a relevant subset of consumer accounts https://cloud.google.com/architecture/landing-zones/decide-how-to-onboard-identities following "Federating Google Cloud with Azure Active Directory" https://cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory
Prereq: obrienlabs.dev GCP account - SA account = michael obrienlabs.dev Azure AD account AD User for migration only "landingzoneadmin" https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/overview/userId/1cbfc734-366f-424d-ab40-424d150978a4
Start with empty "unmanaged users" list https://admin.google.com/ac/unmanaged to https://admin.google.com/ac/unmanaged?rapt=AEjHL4P0Ma1NbmBg35xkrLXUddq_j1ugfz9A_zp4IXPwJ1CS0hhZHxMqy6aSicmYYPXLKf9r9-HflG8HYx72fh2_ycxi-bqajg
Issues List
I run into these suspension messages on half of my organizations - they are not valid and can be ignored - but we need a reproduction/root cause. Pending....
michaelobrien@mbp7 wse_github % chmod 777 dirsync-linux64.sh
michaelobrien@mbp7 wse_github % ./dirsync-linux64.sh
Unpacking JRE ...
Preparing JRE ...
./dirsync-linux64.sh: line 246: bin/unpack200: cannot execute binary file
Error unpacking jar files. The architecture or bitness (32/64)
of the bundled JVM might not match your machine.
michaelobrien@mbp7 wse_github %
Verify details of backing IAM Identity user/role as part SSO federated IdP user auth during IAP session https://cloud.google.com/iap/docs/concepts-overview Verify GCP Identity role for application use is available via the IAP session token - thinking https://cloud.google.com/iap/docs/signed-headers-howto#controlling_access_with_sign_in_attributes see https://cloud.google.com/architecture/identity/single-sign-on "To use SSO, a user must have a user account in Cloud Identity or Google Workspace and a corresponding identity in the external IdP"
20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4
Implement Active Directory SSO Federation
Have as a minimum dev environment something like Keycloak for an OSS version
Reading through other IdP (AD...options) as well (should have gone back the source)
Microsoft Azure Active Directory Accounts
Deployment Examples
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/deployments.md#environments
see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/82 see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/155