Tag Archives: identity

Control session length for Google Cloud Console and gcloud CLI now generally available

Quick Summary 

In 2019, we announced a beta that allows Google Workspace, Google Cloud Platform (GCP), and Cloud Identity admins to set a fixed session duration for specific apps and services. This is now generally available. After the session expires, users will need to re-enter their login credentials to continue to access: 

Giving admins more control over how often users need to re-authenticate makes it more difficult for the wrong people to obtain that data if they gain unauthorized access to a device. 

Visit the Help Center for more information about mobile apps and third-party identity providers.

Getting started

  • Admins: This feature will be OFF by default and can be enabled at the OU level. You can find session length controls at Admin console > Security > Google session control. Visit the Help Center to learn more about how to set session length for Google Cloud services
  • End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow. 

Rollout pace


Availability

  • Available to all Google Workspace customers, as well as G Suite Basic and Business customers, and Google Cloud Identity Free and Premium customers

Google OAuth incremental authorization improvement

Posted by Vikrant Rana, Product Manager, and Badi Azad, Group Product Manager

Summary

Google Identity strives to be the best stewards for Google Account users who entrust us to protect their data. At the same time, we want to help our developer community build apps that give users amazing experiences. Together, Google and developers can provide users three important ways to manage sharing their data:

  1. Give users control in deciding who has access to their account data
  2. Make it easier and safer for users to share their Google Account data with your app when they choose to do so
  3. Make it clear to users the specific data they are sharing with apps

What we are doing today

In service of that stewardship, today we are announcing an OAuth consent experience that simplifies how users can share data with apps. This experience also improves the consent conversion for apps that use incremental authorization, which requests only one scope. Users can now easily share this kind of request with a single tap.

Screenshot compares the previous screen and the new screen you see when Example app wants to access your account

Previous Screen                                               New Screen

A quick recap

Let’s summarize a few past improvements so you have a full picture of the work we have been doing on the OAuth consent flow.

In mid-2019, we significantly overhauled the consent screen to give users fine-grained control over the account data they chose to share with a given app. In that flow, when an app requested access to multiple Google resources, the user would see one screen for each scope.

In July 2021, we consolidated these multiple-permission requests into a single screen, while still allowing granular data sharing control for users. Our change today represents a continuation of improvements on that experience.

Screenshot that shows the option to select what Example app can access

The Identity team will continue to gather feedback and further enhance the overall user experience around Google Identity Services and sharing account data.

What do developers need to do?

There is no change you need to make to your app. However, we recommend using incremental authorization and requesting only one resource at the time your app needs it. We believe that doing this will make your account data request more relevant to the user and therefore improve the consent conversion. Read more about incremental authorization in our developer guides.

If your app requires multiple resources at once, make sure it can handle partial consent gracefully and reduce its functionality appropriately as per the OAuth 2.0 policy.

Related content

Assign SSO profile to organizational units or groups with the new SAML Partial SSO beta

What’s changing 

Currently, you can configure to authenticate your users using a third-party identity provider — this configuration applies to all users within your domain. Now, you have the option to specify groups or organizational units (OUs) to authenticate a subset of your users using Google. This feature is available beginning today as an open beta, which means you can use it without enrolling in a specific beta program. 


Who’s impacted 

Admins 


Why you’d use it 

Currently, when you configure SSO with a third-party identity provider, the setting applies to your entire domain. However, there are some instances where you may want a subset of your users, such as vendors or contractors, to authenticate with Google instead. The Partial SSO beta gives you the flexibility to specify the authentication method for various users in your organization as needed.



Getting started

Image description: Within the Admin console, navigate to Security > Settings > Set up single sign-on (SSO) with a third party iDP > Manage SSO Profile assignments to specify a specific OU or Group who should identify using Google.

Rollout pace



Availability

  • Available to all Google Workspace and Cloud Identity customers


Resources


Enhanced desktop security for Windows is now available for Google Workspace Business Plus customers

Quick launch summary

Google Workspace Business Plus customers can now manage and secure Windows devices through the Admin console, just as you do for Android, iOS, Chrome, and Jamboard devices. Now, Business Plus Admins can:

  • Set Windows policies in the admin console which will ensure that all Windows 10 devices used to access Workspace are updated, secure, and within compliance of organizational policies. 
  • Perform admin actions, such as wiping a device and pushing device configuration updates, to Windows 10 devices from the cloud without connecting to corp network.

See our previous announcement for more details on the Windows 10 management features and benefits and the Help Center to learn more about enhanced desktop security for Windows.

Getting started 


Rollout pace

  • This feature is available now.


Resources


Apply context-aware access policies to mobile and desktop applications

What’s changing 

Admins can now assign existing or new context-aware access levels to Google desktop and mobile applications. 

Applying context-aware access levels to mobile and desktop applications


Who’s impacted 

Admins and end users 



Why it’s important 

With context-aware access, you can set up different access levels based on a user’s identity and the context of the request (location, device security status, IP address). Expanding these policies to other Google Workspace entry points—such as the Google Drive for desktop app or using Gmail on a mobile browser—gives admins greater control over how, when, and where users can access Workspace resources. 



Getting started 


Rollout pace 


Resources 

Automate unmanaged account onboarding with the User Invitation API beta

What’s changing


We’re adding a User Invitation API to the Cloud Identity API. This new API allows you to identify and manage unmanaged accounts

Unmanaged accounts are users with consumer Google accounts that share your organization's email address. The API will enable you to manage these accounts at scale, and automate sending of invites to these users to transfer their account to a managed state. to a managed state. 

The User Invitation API is initially available as an open beta, which means you can use it without enrolling in a specific beta program. See our documentation to learn more about how to use the API


Who’s impacted 

Admins 


Why you’d use it 

Unmanaged accounts occur when a user registers for a personal Google account using an email address that matches your domain. These accounts generally exist because a user has previously signed up for a personal Google Account using their work or educational email address. 

If your organization then signs up for Google Workspace or Cloud Identity and attempts to provision a managed account with the same primary email address, the conflict needs to be resolved. 

Previously, you could only manage these existing accounts via the Admin console. The User Invitation API provides another option which can help automate resolution of these conflicts, and can make it easier to manage these conflicts at scale. 


Getting started 

Rollout pace 

  • This feature is available now for all users in beta. 

Availability 

  • Available to all Google Workspace customers, G Suite Basic and Business customers, and Cloud Identity customers 

Resources 

Automatic group membership management with dynamic groups, now generally available

Quick launch summary 

Dynamic groups are now generally available. Dynamic groups work the same as other Google Groups, but with the added benefit that their memberships are automatically kept up to date with a membership query. Dynamic groups can be based on one or many user attributes, including addresses, locations, organizations, and relations. 


By automating membership management you can increase security, reduce errors, and alleviate user frustration while minimizing the burden on admins. 


See our beta announcement for more details and example use cases for dynamic groups. Note that at launch, you won’t be able to manage policies—like context-aware access policies—using dynamic groups. We are working on adding this functionality in the future, and will announce it on the Workspace Updates blog when it’s available. 


This joins our other recent announcements for features that make it easier to manage groups within your organization. You can now also assign groups as security groups, set group membership expiration, and see indirect membership visibility and membership hierarchies via API. We hope these features make it easier to use groups to meet the access, security, and communication needs of your organization. 


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard, Enterprise Plus, Education Plus, and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Education Fundamentals, or G Suite Basic, Business, and Nonprofits customers 

Resources 

Security groups now generally available

Quick launch summary 

We’re making security groups generally available. Security groups help you easily regulate, audit, and monitor groups used for permission and access control purposes by simply adding the security label. See our beta announcement for more details and use cases for security groups

We’ve recently announced several other features that can help you better manage groups in your organization and improve your security posture. These include group membership expiration and the indirect membership visibility and membership hierarchy APIs


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Standard and Enterprise Plus customers, as well as G Suite Basic, Business, Education, Enterprise for Education and Nonprofits customers 

Resources 

Group membership expiration now generally available

Quick launch summary 

The Cloud Identity Groups API feature that enables you to set expirations for group memberships is now generally available. It was previously available in beta


This enables admins to set an amount of time that users and service accounts are members of a group. Once the specified time has passed, users will be removed from the group automatically. Automatic membership expiration can help reduce the administrative overhead for managing groups, and can help ensure group membership is limited to the members that need access. 




This launch is another enhancement to the Cloud Identity Groups API. We recently also made the indirect membership visibility and membership hierarchy APIs generally available. Together, these make it easier to manage permissions and access control in your organization. 


Getting started 

Rollout pace 

Availability 

  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 

Resources 

Indirect membership visibility and membership hierarchy APIs now generally available

Quick launch summary 

We’re making it easier to identify, audit, and understand indirect group membership via the Cloud Identity Groups API. Specifically, we’re making the membership visibility and membership hierarchy APIs generally available. These were previously available in beta. 

Using “nested” groups to manage access to content and resources can help decrease duplication, simplify administration, and centralize access management. However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access and why. These APIs help provide all of the information you need to understand complex group structures and hierarchies, and can help you make decisions about who to add to or remove from your groups. 

See our beta announcement for more information and use cases for the APIs


Getting started 


Rollout pace 


Availability 

  • Available to Google Workspace Enterprise Standard and Enterprise Plus, as well as G Suite Enterprise for Education and Cloud Identity Premium customers. 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, and Enterprise Essentials, as well as G Suite Basic, Business, Education, and Nonprofits customers 

Resources