Looking at your identity and access management (IAM) strategy like a blueprint puts Active Directory® (AD) as the foundation. From there, you use building blocks, including directory extensions, single sign-on (SSO) solutions, and more, to bridge AD to the resources it struggles to manage — like macOS® devices or SaaS apps. If your goal is to extend AD credentials to the most possible resources in your environment, identify what resources are not managed by AD first. Then you can determine which building blocks you’ll need to add on to it.
It’s best to step back and take a comprehensive look at your environment to find an identity management solution that does more than fill in a few gaps and instead centralizes control over your non-Windows® resources. With this in mind, we’ll present a strategy for identifying the resources you need to extend AD credentials to and finding the right solution to do so.
What Isn’t Controlled by AD?
With the idea of centralization in mind, think about the current state of your identity and access management (IAM) framework. This is where we start looking at the blueprint. If you use AD, it stands as the central repository of user information in your IT environment; its job is to authenticate, authorize, and manage user access to your Windows-based resources. AD does a great job of performing these tasks as long as everything in the IT environment is Microsoft®-centric and connected to the domain.
But AD struggles to connect to a number of other resources. As a result, “mini directories” form that each require their own management — and for users, each directory entry they’re associated with equates to a separate username and password. For example, think about managing a separate directory of Slack® users outside of AD. The following sets of resources also present these kinds of challenges:
- Mac® and Linux® systems
- Cloud infrastructure
- SaaS applications
- WiFi networks
Building Blocks for Non-Windows Resources
In order to use AD creds for the preceding tools, you’ll need separate methods to extend AD. Again, consider each method a building block of your blueprint — the more blocks, the more complex the blueprint. If an admin has to maintain each building block independently, complexity increases, not to mention cost.
Now, the benefits of centralized control over the resources in your environment loom larger than the drawbacks of maintaining individual blocks. So, you’re likely to deal with some of these drawbacks to gain centralized control. Let’s take a look at each blueprint building block and see what these integrations with AD look like.
Block 1: Directory Extensions for Mac and Linux
When you need to extend AD credentials to macOS® and Linux systems, a directory extension is the way to go. This building block enables you to integrate Mac and Linux systems with your existing AD infrastructure to simplify user management. For example, you can control the lifecycle of an identity through a single interface: AD. The challenge is finding a single solution for all the Mac and Linux systems in your fleet. In other words, you could end up paying for and managing two solutions to control Mac and Linux users with AD — or two separate blocks. Depending upon the building block, managing user access may end up being a different solution than system management (or GPO-like functions for macOS and Linux).
Block 2: Cloud Infrastructure Integrations
Different cloud providers have their own unique sets of integrations with AD. If you use multiple cloud providers, such as AWS® or GCP™, you may need multiple extensions, or blocks, too. It’s important to note, some integrations work from the cloud, and others require you to install additional on-prem hardware to facilitate the federation of on-prem AD identities to cloud-based infrastructure.
Block 3: SSO for Extending AD to SaaS Apps
You’re most likely aware of single sign-on (SSO) solutions used to extend AD credentials to web applications like Salesforce®, Slack®, and hundreds of others. These SSO solutions have existed for a long time and have multiple delivery methods. Some live on-prem, and IT organizations purchase others “as-a-Service.” Naturally, on-prem solutions equate to more maintenance work for you, and cloud-based solutions can get pretty expensive for what they do, which is usually just manage access to web applications. Either way, they’re another solution that increases the complexity of an IT environment — just like adding more blocks to your blueprint.
Block 4: RADIUS for WiFi Networks
Networks, a critical building block, used to be wired, and users accessed them with their AD credentials. But with WiFi, that all changed. Users began using shared creds to access WiFi. This does not represent a best practice for network security because that shared password could easily spread to people outside of the organization. RADIUS provides a way to address this security risk but presents challenges related to maintenance and set up. You could select Microsoft’s solution, Network Policy Server (NPS), but beware of non-Windows users. Or, you could go with FreeRADIUS and have another on-prem solution to look after.
Blueprint Building Block Wrap Up
Of course, there are more building blocks to consider. What about MFA and SSH key management for example? In short, the real purpose of this list is to get you to start thinking about all the workarounds, integrations, and add-ons you’ve had to install and pay for over the years. Why not find something that can do all of them for you from a cloud-based interface that requires no hardware maintenance?
Ultimately, the blueprint becomes much easier to parse out when there is only one building block to control all your non-Windows resources. Instead of having to manage multiple solutions, what benefits you most is the ability to do it all from a single location. JumpCloud® Directory-as-a-Service® provides this functionality, and because it’s delivered as a service, you choose exactly what you extend AD to and not pay for anything more. For the full details on extending AD credentials, check out our Active Directory Integration product page.
Or, if you want to get your hands dirty with Active Directory Integration, sign up for a free JumpCloud account. With it, you can test the full functionality of the product for up to 10 users — at no cost to you. Start simplifying your IAM blueprint today.