Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Approved Identity Providers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (act today)

Ensure that the identity providers (IdPs) used for Workforce Identity Federation are approved in order to securely access Google Cloud services without setting up new identities. The list with the valid, approved identity providers must be defined in the conformity rule settings, in the Trend Micro Cloud One™ – Conformity account console.

Security

Workforce Identity Federation enables the utilization of an external identity provider (IdP) for authenticating and authorizing a workforce, comprising users such as employees, partners, and contractors, through IAM. This allows users to gain access to Google Cloud services. Workforce pools extend this functionality to the workforce (including employees, contractors, and partners) of a GCP enterprise customer, facilitating access to cloud resources via federation protocols like OIDC and SAML, without the need to synchronize their accounts with Cloud Identity. A workforce identity pool provider establishes the connection between your Google Cloud organization and your identity provider. Following the OAuth 2.0 Token Exchange specification, workforce identity federation operates by presenting credentials from the external identity provider to the Security Token Service for verification. Upon successful validation, a short-lived Google Cloud access token is provided in return. By keeping only approved identity provider (IdP) in your Google Cloud workforce pool minimizes security risks as unauthorized IdPs could grant access to unintended users.


Audit

To determine if the identity providers (IdPs) used for Workforce Identity Federation are approved by your organization, perform the following operations:

Note 1: Getting the list of workforce pool providers used by your organization via Google Cloud Platform (GCP) Management Console is not currently supported.
Note 2: As an example, the Audit process outlines the steps required to check the configuration of an SAML identity provider.

Using GCP CLI

01 Run organizations list command (Windows/macOS/Linux) with custom query filters to list the ID of each organization created with Google Cloud Platform (GCP):

gcloud organizations list --format="table(name)"

02 The command output should return the GCP organization identifiers:

ID
123412341234
111122223333

03 Run iam workforce-pools list command (Windows/macOS/Linux) with the ID of the GCP organization that you want to examine as the identifier parameter, to list the identifier of each workforce identity pool created for the selected organization:

gcloud iam workforce-pools list 
  --organization=123412341234 
  --location=global 
  --format="value(name)"

04 The command output should return the requested workforce pool identifier(s):

projects/cc-dataflow-project/locations/global/workloadIdentityPools/cc-dataflow-wfa-pool
projects/cc-project5-123123/locations/global/workloadIdentityPools/cc-project5-wfa-pool

05 Run iam workforce-pools providers list command (Windows/macOS/Linux) with the name of the workforce pool that you want to examine as the identifier parameter, to list the URI of each workforce pool provider configured for the selected pool:

gcloud iam workforce-pools providers list 
  --workforce-pool=cc-dataflow-wfa-pool 
  --location="global" 
  --format="value(name)"

06 The command output should return the workforce pool provider URIs:

locations/global/workforcePools/cc-dataflow-wfa-pool/providers/cc-saml-wfa-provider
locations/global/workforcePools/cc-dataflow-wfa-pool/providers/cc-oidc-wfa-provider

07 Run iam workforce-pools providers describe command (Windows/macOS/Linux) to describe the XML file with configuration metadata, available for the workforce identity pool provider that you want to examine:

gcloud iam workforce-pools providers describe cc-saml-wfa-provider 
  --workforce-pool=cc-dataflow-wfa-pool
  --location=global 
  --format="value(SAMLMetadataDocument)"

08 The command output should return the requested XML metadata document:

<md:EntityDescriptor entityID="http://www.okta.com/abcdabcdabcdabcdabcd">
	<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate> ... </ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
		<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myorg.okta.com/app/cc-dataflow_ccbyoidapp_1/abcdabcdabcdabcdabcd/sso/saml"/>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myorg.okta.com/app/cc-dataflow_ccbyoidapp_1/abcdabcdabcdabcdabcd/sso/saml"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>

09 Analyze the XML document returned at the previous step and find the identity provider endpoint URL listed as value for the Location attribute within the \<md:SingleSignOnService /\> XML element (e.g. Location="https://myorg.okta.com/app/cc-dataflow_ccbyoidapp_1/abcdabcdabcdabcdabcd/sso/saml").

10 Sign in to your Trend Micro Cloud One™ – Conformity account, access the Approved Identity Providers rule settings, and compare the IdP endpoint identified at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed in your Conformity account, the selected identity provider (IdP) is not approved by your organization.

11 Repeat steps no. 7 – 10 for each identity provider configured for the selected workforce pool.

12 Repeat steps no. 5 – 11 for each workforce identity pool created for the selected organization.

13 Repeat steps no. 3 – 12 for each organization created with Google Cloud Platform (GCP).

Remediation / Resolution

To remove the unapproved identity providers (IdPs) from your organization's workforce pool, perform the following operations:

Removing workforce identity pool providers from your organization via Google Cloud Platform (GCP) Management Console is not currently supported.

Using GCP CLI

01 Run iam workforce-pools providers command (OSX/Linux/UNIX) with the name of the workforce identity pool provider that you want to delete as the identifier parameter, to remove the unapproved identity provider from your organization's workforce pool:

gcloud iam workforce-pools providers delete cc-saml-wfa-provider
  --workforce-pool=cc-dataflow-wfa-pool
  --location=global

02 The command output should return the URI of the deleted identity provider:

Deleted [locations/global/workforcePools/cc-dataflow-wfa-pool/providers/cc-saml-wfa-provider].

03 Repeat steps no. 1 and 2 for each unapproved identity provider configured for the selected workforce pool.

04 Repeat steps no. 1 and 2 for each unapproved identity provider configured for the selected workforce pool.

05 Repeat steps no. 1 – 4 for each organization created with Google Cloud Platform (GCP).

References

Publication date May 6, 2024

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Approved Identity Providers

Risk Level: High