The context is wanting to use Google IAP to secure access for a set of business and individual customers. There is a single central service running in the Google cloud which supports multiple customers and hence multiple non-overlapping security zones. It is not economic to dedicate a service per security zone.
Per //cloud.google.com/iap/docs/signed-headers-howto the user information available is their email and a long term google user id. However, there may be multiple authorized users (employees) for a given business security zone. Is there a simple, secure way to map from an individual identity to some kind of group identity. In the ideal, during the initial granting of access to an account, a secure group identity - business name- would be assigned and it would be passed in as part of the secure headers.
Given that this multi-tenant application deployment model is very common, I am expecting Google to have provided for it but I cant find a reference in their documentation. Any help will be appreciated. Richard
