Google Workspace SAML & OIDC
Status: Scaffold — content in progress
Google Workspace can act as both an Identity Provider (via SAML for SSO to third-party apps) and as a Service Provider (federating with external IdPs).
Google as SAML IdP
Google Workspace can issue SAML assertions for any configured SP (Salesforce, AWS, etc.).
Attack implication: Google Super Admin compromise → forge SAML assertions for any SP via SAML app → Golden SAML equivalent at the Workspace level.
Google as OIDC Provider
Used by Google Cloud Platform (GCP) workload identity, GitHub Actions OIDC federation, etc.
Service Account Keys
GCP service accounts can have downloadable JSON key files — once leaked, they provide persistent API access with no expiry.
Cross-Links
| Topic | Link |
|---|---|
| SAML | saml |
| GWS Overview | gws-overview |