Skip to content

SYSTEM Cited by 1 source

Google Workspace SSO

What it is

Google Workspace (formerly G Suite) acts as an enterprise identity provider (IdP) — every Google-account employee is a user in the org's IdP tenant, and downstream apps federate to Google via SAML or OIDC. Google Workspace supports phishing-resistant MFA via FIDO2 security keys, platform authenticators (TPM / Secure Enclave / Titan), and passkeys. When enforced at the admin level, every SSO sign-in against Google requires a phishing-resistant factor.

For SMB and mid-market orgs, Google Workspace is the default IdP — the alternative being Okta or Microsoft Entra.

Why it's on this wiki

Google Workspace SSO appears as Fly.io's IdP-of-record in the 2025-10-08 Kurt Got Got postmortem — the canonical wiki instance of the patterns/phishing-resistant-mfa-behind-idp pattern:

"This is, in fact, how all of our infrastructure is secured at Fly.io; specifically, we get everything behind an IdP (in our case: Google's) and have it require phishing-proof MFA. You're unlikely to phish your way to viewing logs here, or to refunding a customer bill at Stripe, or to viewing infra metrics, because all these things require an SSO login through Google." (Source: sources/2025-10-08-flyio-kurt-got-got)

The downstream apps Fly.io cites as federated through Google SSO:

  • Internal logs portal
  • Stripe admin (customer billing / refund)
  • Infrastructure metrics dashboards
  • ("…and everything else" — the implicit claim is that Fly.io's internal surface is uniformly behind Google SSO)

The result: Kurt's phishing did not lead to infrastructure compromise, only to the one account (Twitter) that Fly.io had deliberately excluded from the IdP regime as a legacy deprioritised social account ([[concepts/legacy-shared- account]]).

Why Google (vs Okta / Entra)

Fly.io doesn't elaborate the choice, but the typical trade-offs:

  • Google Workspace — lowest friction for orgs already on Gmail/Drive; SSO federation is included in most tiers; FIDO2 support is solid; lower per-user cost than a standalone IdP.
  • Okta / Entra — stronger device-posture integration, conditional-access policies, and cross-tenant features for larger enterprises; typically chosen when the org has heterogeneous identity sources to unify.

For a Tier-3-sized company like Fly.io, Google Workspace-as-IdP is the pragmatic default.

Seen in

  • Fly.io Kurt Got Got (2025-10-08) — canonical wiki instance. Google Workspace as the single IdP for all Fly.io internal infrastructure; phishing-proof MFA enforced at the Google layer; the regime held when Kurt was phished — no infra was at risk, only the one legacy account outside the regime (sources/2025-10-08-flyio-kurt-got-got).
Last updated · 517 distilled / 1,221 read