Answer-first summary for fast verification
Answer: Create two workforce identity pools for the partner IdPs.
The correct answer is C because Workforce Identity Federation is specifically designed for scenarios where external users (such as partner organizations) need to access Google Cloud resources using their existing identity provider credentials without requiring identity synchronization. This approach eliminates the need to create or sync user accounts in Cloud Identity, which aligns with the requirement to grant access to support engineers from two partner organizations using their existing IdPs. Option A is incorrect because SSO for Cloud Identity requires users to have Cloud Identity accounts, which contradicts the requirement to use existing IdP credentials directly. Option B is inefficient and not scalable for partner organizations, as it involves manual user creation. Option D (GCDS) is unsuitable because it synchronizes user identities to Cloud Identity, which is unnecessary and contradicts the 'use existing IdP credentials' requirement, as noted in the community discussion where GCDS is described as typically for syncing from on-premises directories to Google Workspace.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your organization is migrating business-critical applications to Google Cloud across multiple projects. You have IAM permissions only at the organization level. You need to grant project access to support engineers from two partner organizations, allowing them to use their existing identity provider (IdP) credentials. What should you do?
A
Create two single sign-on (SSO) profiles for the internal and partner IdPs by using SSO for Cloud Identity.
B
Create users manually by using the Google Cloud console. Assign the users to groups.
C
Create two workforce identity pools for the partner IdPs.
D
Sync user identities from their existing IdPs to Cloud Identity by using Google Cloud Directory Sync (GCDS).
No comments yet.