 Hi guys, I'm Colleen. I'm from Google. I've been with Google for exactly one year and one day actually yesterday was my anniversary Thank you And I work on a team that specializes in open-source integrations with Google Cloud platform So you might have seen my work on the GCP service broker, but today I'm here to talk to you about a new integration that we're exploring So this is under development, but still very much in flux still Looking for a lot of feedback in terms of is this a product that's going to be useful and helpful to you What features would you need? What direction would you want it to go? So definitely looking for a lot of feedback at the end of this session but so we're gonna talk about the work that's planned and and Started right now integrating G suite or which you might also know as Google for work with cloud foundry authentication and permissions So I'm just gonna level set on some acronyms just to start with so UA as user accounts and Authorization authentication authentication And this is default That ships with cloud foundry for managing your user logins However in terms of most of the permissions that your user your cloud foundry developers Are going to use day-to-day those are managed through the cloud controller API's Which is commonly abbreviated as cappy. So these are two distinct systems You add a user through UA as well as through cappy But then managing The different sets of permissions are different Pieces of information you have to go from one system to the other. So it does pose some limitations and Make can make some things a little more difficult to administer So Having worked in an enterprise organization before You know that onboarding and just permissions day-to-day can be hard and complex. So There's a situation that I thought Some of you might be able to relate to so let's say Nancy is a new developer at your company So your HR person Will add an entry for her in his tool, which is usually synchronized to another system So that she can get her g-suite account all set up. So she hits an email address and Logs for those actions will go into his tool and into g-suite And then you're gonna have a sys admin who's gonna use a different system probably to add Nancy to some LDAP groups Because you might have other Health and benefits systems that are connected that'll pull that information in So then logs for that action. We'll just go into the LDAP server And you know during onboarding you get that document that says has the checklist of everything that you should have permission to that You should set up your system with So during her onboarding Nancy is gonna find oh, I need to have a cloud foundry account made for me And I need to Have access to these orgs and spaces that my team's gonna work on So then Nancy will probably go to her PM and her PM will create her an account and maybe add her to everything that Nancy requests But those documents are never complete So a few weeks later Nancy's gonna find something that was left out And she's probably at this point just gonna go to her team lead and her team lead will be able to give her Access directly through cappy to whatever spaces or orgs she was missing And again these logs are continuing to be kind of scattered across the disparate systems. So The logs that went into cappy Are only there and then the logs from the team leads actions might need to go into both systems And then say a year later and Nancy switches projects So she doesn't want to get the spam from her old Team Google groups anymore. So her old PM removes her and her new PM goes through The end team lead go through the same set of actions. So they're kind of adding things in different places but it's very Reasonable to think that somebody might forget to remove her access to her old orgs and spaces So you're kind of left with The logs are scattered across these different systems the actions are very disparate And so it can just be kind of hard to track what's going on and where and make sure that the permission Structure is as it should be and gets propagated through all areas of the system so We tried to come up with a workflow that would be more consistent So it starts in the same place Steve still adds Nancy to the HR tool and that propagates to G suite This diagram. I know kind of looks complicated. So I'm I'm gonna walk through it. So we've added a couple things here There's something known as Google Cloud Directory sync. That's the box to the right of the LDAP box and so that's gonna pull from the LDAP server and Propagate LDAP groups as Google groups into G suite and then the application that I'm working on is Simply labeled sync next to G suite And that's gonna do very similar thing pull from G suite and propagate to both Kappy and UAA so this step two where Nancy sys admin adds her to the LDAP server actually kind of takes care of Some of the other steps so her p.m. No longer needs to create her an account and add her to orgs and spaces now The LDAP groups will take care of that themselves So I'll get synced into G suite and then synced into both systems And then the logs for that will be consistent because they'll be both available in the sync applications As well as in each of the individual systems. So if you're looking for a complete Set of actions, you can go straight to the sync system to look for everything together And then again when the permissions need to be updated, you don't have to go into the individual systems Nancy's p.m. Can just add her to a new Google group and that'll take that same set of actions to add her to the appropriate orgs and spaces or give her the appropriate permissions in Kappy or UAA or both and then you get the nice consistency of when Nancy switches teams Her p.m. Removes her from the Google groups that corresponded to her old team And that'll propagate that set of permissions through so that you can be sure that only the people who are supposed to have access To those orgs and spaces are the ones that do so as I said, this is the solution So this is the sync that is Underactive development pulling from G Suite into UAA and Kappy and all in a second walk through that in a little bit more depth and Then these I included Just because they are so common, but they are kind of optional add-ons so single sign-on by open ID connect is available right now With UA So that makes a lot of sense to add and then this Google cloud directory sync kind of gives you the full workflow from LDAP to single sign-on and all of these permissions Propagated throughout your system with consistency So the way that you would use this application is you just do a config before the application runs to create a mapping of your Google groups to a set of Rolls orgs and spaces within cloud foundry. So for example, you could have a like finance devs group that maps to you should have Space developer in the finance org and a finance dev space or something and then when the application first starts It's going to read that mapping and do a sync Both to make sure that it's caught up on users and groups that exist within Google and to make sure that it's caught up on that config So it's going to read everything from Google div it with everything in cloud foundry and then apply the appropriate transformations And then just during the course of normal application running There's going to be a listener So it'll listen for actions taken in G Suite things like adding members groups Disabling somebody's access and then transform those into individual Actions to apply to cloud foundry. So I just have a quick demo of the user import Functionality so I have a G Suite account set up and you can see I have two users there but in my Cloud foundry users list There is only one entry and that's my admin user so I'm just gonna Just run the program so you can see it's pulling users from Google and It found these two right here Pulled in their information pulled users from cloud foundry only found one Which was the admin user so it knows that it's missing these two users and needs to add them to cloud foundry so if I come back out and Get my users list again now. I have that admin user, but I also have my calling user and Dana somewhere in there. I have the three total results now So this is a pretty Quick talk To be honest, this is all that I have to present to you right now So I would love to take any questions now or I'll just stick around afterwards if this sounds interesting Again, this is very much up to the community to see What kind of features you would need so come talk to me? Does anybody want to ask any questions now? Okay, I'm just gonna hang out over here. Thanks