Google Cloud Professional Cloud Security Engineer — Question 348

Your organization шs using a third-party identity and authentication provider to centrally manage users. You want to use this identity provider to grant access to the Google Cloud console without syncing identities to Google Cloud. Users should receive permissions based on attributes. What should you do?

Answer options

• A. Configure the central identity provider as a workforce identity pool provider in Workforce Identity Federation. Create an attribute mapping by using the Common Expression Language (CEL).
• B. Configure a periodic synchronization of relevant users and groups with attributes to Cloud Identity. Activate single sign-on by using the Security Assertion Markup Language (SAML).
• C. Set up the Google Cloud Identity Platform. Configure an external authentication provider by using OpenID Connect and link user accounts based on attributes.
• D. Activate external identities on the Identity-Aware Proxy. Use the Security Assertion Markup Language (SAML) to configure authentication based on attributes to the central authentication provider.

Correct answer: A

Explanation

The correct answer is A because it allows the organization to utilize the third-party identity provider without the need for identity synchronization, while also enabling attribute-based access control through CEL. Options B and C involve identity synchronization or do not meet the requirement for using the current identity provider without syncing, and D is focused on Identity-Aware Proxy, which is not necessary for granting console access in this context.