Monday, November 23, 2020

Make specific applications exempt from session length policy

What’s changing 

Last year, we launched an open beta that enabled Cloud Identity admins to configure a session length (a.k.a. “reauth”) for Google Console and Cloud SDK. Now, we’re enhancing session length controls by allowing you to exempt specific applications from the reauth policy. We hope this will make it easier to roll out this feature in your domain. 


Who’s impacted 

Admins 


Why you’d use it 

The Google Cloud session control feature applies a session length to Google’s own GCP admin tools, as well as customer-owned and third-party applications that use the cloud-platform scope. When the configured session length expires, the application will require the user to reauthenticate to continue operating, analogous to what would happen if an admin revoked the refresh tokens for that application. The reauthentication requirement can help reduce unauthorized access to sensitive data. 

We heard your feedback that there are some scenarios that make it difficult to roll this out. For example, some applications do not gracefully handle the reauth scenario, causing confusing application crashes or stack traces. Some other applications are deployed for server-to-server use cases with user credentials instead of the recommended service account credential, in which case there is no user to periodically reauthenticate. Customers impacted by these scenarios are unable to roll out session controls to any applications as it will cause these apps to work improperly. 

This update allows you to add these apps to a trusted list, temporarily exempting the apps from session length constraints, while implementing session controls for all other GCP admin surfaces. 
The previous session control settings page in the Admin console 

The new session control settings page in the Admin console. Note the new “Exempt trusted apps” checkbox. 

Getting started 

  • Admins: This feature will be OFF by default and can be enabled manually using the “Exempt Trusted apps” setting. For more information on how to review the apps currently requiring cloud-platform scopes, and how to add those apps to the Trusted list, visit our Help Center
  • End users: There is no end user setting for this feature. 

Rollout pace 

Availability 

  • Available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus, as well as G Suite Basic, Business, Education, Enterprise for Education, and Nonprofits, and Cloud Identity customers

Resources