Google cloud platform authentication for users who do not have a google account?

1
votes

I have a SaaS application with a bunch of users, and I want to provide the ability for my users to work with their data in google bigquery. The thing is, I want my users to be able to use any random application out there (like say, tableau or powerbi) using their standard built-in bigquery connectors. BigQuery connectors generally show the google login page to retrieve google credentials to call bigquery with...but my users are not google users, they don't have google credentials. So my question is: how can I sign my users into google using my application's sign-in credentials, from the google login page?

The options I know about are:

  1. G-Suite - I provision a new google user account for each of my users on a custom domain, and setup my application as their identity provider (SAML or whatever). This is a good option, but at $6 per user per month it's extremely steep.
  2. Gmail - I could provision each user their own gmail account, which would be free...but afaik I could not set my application to be their identity provider, so I'd have to provide them another password and manage rotating it etc...it would be hacky/fragile and sounds like a support nightmare.
  3. BYO google account - Require the user to provide their own google account...they configure it in my app and I grant that account access to their data in bigquery. I personally like this option, but I'm told it is not acceptable from a business/product design/user experience POV (we can not require the user to manually go create an account in a different system to use a feature of our application)
  4. Google identity platform - This almost seems like exactly what I want, except from what I can tell there's no way to actually create a real google identity that you can use to login on the real google login page - you can only create identities that can authenticate on your own custom login page...which won't work (cuz 3rd party app bigquery connectors will always display the real google login page)
  5. GCP service accounts - Included for the sake of completeness, but these accounts also can not login via the standard google login page, so they also will not work.

From what I can tell G-suite is my only real option....but it's disproportionately pricey - I will be paying more for my users simply to be able to authenticate than I will be for all the GBs of bigquery data transfer/querying...which seems odd.

I'm hoping I'm missing an option, or misunderstanding something. Can someone shed some additional light on this for me?...or confirm that these are, indeed, the only google user account options available?

1
google-cloud-platformgoogle-bigquerygoogle-authentication

1 Answers

0
votes

how can I sign my users into google using my application's sign-in credentials, from the google login page?

You cannot. Your users will need a Google Account or supported account such as G Suite or Identity Platform.

From what I can tell G-suite is my only real option....but it's disproportionately pricey - I will be paying more for my users simply to be able to authenticate than I will be for all the GBs of bigquery data transfer/querying...which seems odd.

Your assumption is incorrect. You can have G Suite + Identity Platform together. This means you only need to license users that need to receive email or Google apps, other users are free. This does mean that you need to create users in G Suite / Identity Platform.

BYO google account

I strongly recommend not using BYO Google accounts. You have no control over these accounts.

Gmail

This is the same thing (usually) as a BYO Google Account. Again, I strongly recommend not using Gmail accounts either.

My recommendation is to create a G Suite Account, make yourself the Super Admin and license yourself. This does require a domain name*. Then add Identity Platform and create all the users you need.

*I have not personally verified this but I am confident that you can create a subdomain from your top level domain for G Suite. Example accounts.example.com.