Notice

The examples and use cases described here are intended to show the different ways SURF Research Access Management can be used and connected to application. These examples and use cases are not always validated by SURF.

SRAM for authentication within Google Cloud

Users login to Google Cloud using their Google Account. This account should exist or at least registered with Google via the owning organisation (Cloud Identity / Google Workspace) or be registered with Google (Gmail or create Google account with existing email address). When collaborating with external researchers, the most ideal situation would be that both internal and external users can sign in using their institutional identity.

Internal users

In our case we have created a Cloud Identity organisation where we provision the users that need access to the Google Cloud environment. We've setup that Google can authenticate these users using our IdP so they can login with their institutional identities. This would however not be a solution for users from other institutions since domain ownership is required.

External users

We allow external users to login using SRAM. For this, we have used the product Workforce Identity Federation, which can allow access to the environment without the need to provision new accounts. Users login using a special link after which they are redirected to SRAM. After logging in they are redirected to the Google Cloud Console where they can access resources for which they received permission.

Configuring Workforce Identity Federation with SRAM

  1. Create a new workforce identity federation pool
  2. Create a new provider. Both OIDC and SAML can be used. For the sake of this guide I'm going to walk through the OIDC setup. Some values cannot be filled in yet since this requires the SRAM service to be created which will be requested later.
    1. Specify https://proxy.sram.surf.nl as issuer URL
    2. Choose "Code" as response type
    3. Choose "User info and ID token" and assertion claim behaviour
    4. Specify the following attribute mappings:
      1. google.subject: assertion.email
      2. google.display_name: assertion.name

      3. google.posix_username: assertion.uid[0]

      4. google.groups: assertion.eduperson_entitlement.map(i, i.contains(":group:pmc:"), i.split(":")[size(i.split(":"))-1].split("#")[0])Replace pmc with the name of your organisation.

    5. Now use the gcloud iam workforce-pools providers update-oidc command to add additional scopes "uid" and "eduperson_entitlement". These settings cannot be modified via the Cloud Console.
  3. Request your service from SURF using the service request form. Configure the following URL as redirect URL: https://auth.cloud.google/signin-callback/locations/global/workforcePools/WORKFORCE_POOL_ID/providers/WORKFORCE_PROVIDER_ID
  4. Once your service has been created, update your Workforce Identity Federation Provider with the Client ID & Client secret


Providing access to resources

Access to resources within Google Cloud are managed with Identity and Access Management (IAM). You should use something like the following group/identity to grant a SRAM collaboration access: principalSet://iam.googleapis.com/locations/global/workforcePools/sram-pool/group/MYCOLLAB
In this case MYCOLLAB is the short name of your collaboration. Do note that this only works for collaborations which are created within your own organisation. If you want to change this behaviour, you should modify the google.groups assertion.

  • No labels