| HN Mirror

It's maybe clearer to say, Google enables any company's Google Workspace administrator to do high-touch account management, and/or to set up tricky things with accounts.

There's BeyondCorp; there's two-way SAML directory binding (i.e. Google can be your enterprise's IdP for other service, or you can use your enterprise's IdP to sign into Google!); there's GCP Application Default Credentials; MFA device bindings; "application passwords" to pass through 2FA requirements; the ability to tell the auth layer to temporarily disable a user's password prompts via the admin dashboard; Google Take-out; Workspace account data export for terminated users; detachable adjunct accounts (e.g. Youtube channels); etc x1000.

Did you know that tucked away within every Google account is a set of AWS-looking credentials, that exist only to allow object-storage clients that only speak the de-facto "S3-compatible" object-storage API, to interact with Google Cloud Storage, authed as a given user? That's the kind of thing that using Google as your IdP gets you.

Github, meanwhile... if you're not using Github Enterprise, you can't even sync team memberships from your enterprise directory, so you have to grant your HR people org admin(!) access, so that they can grant and revoke team memberships during employee onboarding/offboarding.