Many IT admins struggle with the balancing act of having one foot in Google’s cloud and the other on-prem with Active Directory (AD). This article examines the ins and outs of integrating Google Workspace with AD, dissects some common pitfalls, and explores migrating from a hybrid configuration to a cloud-based identity and access management (IAM) infrastructure.
Active Directory and Google Workspace
AD is an on-prem database that is used to control user access and authentication across various IT resources, including systems, networks, file servers, applications, and more.
Google Workspace, formerly G Suite, is a cloud-based suite of productivity tools for businesses to create and collaborate easily. Its cloud-based nature means that organizations can easily adopt it since they don’t need to purchase extra software or hardware to access it. Workspace is a popular alternative to Microsoft 365 and provides optionality for IT admins to select a preferred system for IAM and device management. Many organizations already use Active Directory and decide to provision users into Workspace from that system of record.
Active Directory and Google Workspace work great respectively, but weren’t designed to work together. As a result, organizations must select the best method to integrate the systems.
Google Cloud Directory Sync (GCDS)
Formerly called Google Apps Directory Sync (GADS), GCDS was developed by Google to help bridge the gap between AD and Workspace. It leverages LDAP to sync data with Active Directory and retrieve information about users and groups. Admins can continue to manage users within AD and whatever changes they make are reflected in Workspace.
There are several considerations to keep in mind with this approach while scoping out your requirements. First, the GCDS and Active Directory sync is unidirectional. Changes made in Active Directory are reflected in Google Workspace, but there’s no writeback to AD. For instance, there’s no password writeback, limiting what’s possible within Google’s console.
GCDS also contributes to increasing organizations’ “on-prem footprint” and management overhead, which may slow down cloud migration efforts. GCDS requires a dedicated server and active management by IT admins. This translates to more hardware and higher costs.
Lastly, GCDS is purpose-built to connect AD identities to Google Workspace. GCDS x AD cannot be used as a source of truth to manage identities across non-Google tools, nor can it be used on non-Windows platforms. Google provides different integrations for those use cases.
Directory Sync
Directory sync uses an AD account to securely read user and group objects. This eliminates the requirement to manage on-prem hardware and deployments. There may also be more than one AD source (multi-directory), as opposed to GCDS, which syncs a single domain per instance.
Google Workspace works in combination with a Virtual Private Cloud (VPC) access connector to configure syncing. Admins must map the LDAP data structures between AD and Google Cloud. Organizational Units (OUs) within AD are organized differently than Google’s folders and projects resource hierarchy. There’s a low bar for knowledge about LDAP, but lifecycle management can become complex when the user state in AD differs from the synced account. Admins are then required to configure safeguards to avoid activating suspended accounts.
Single Sign-On
Active Directory single sign-on (SSO) is another method to address the Google Workspace x AD integration challenge. SSO works by using Secure Assertion Markup Language (SAML), which allows users to use their credentials to access Google Workspace and other web applications. Requirements include using Microsoft Active Directory Federation Services (AD FS), which entails setting up a server farm and can be challenging to configure.
Other considerations include:
- SSO can neither manage nor authenticate devices
- SAML can’t integrate with non-web applications or other resources (RADIUS, LDAP) without requiring additional infrastructure running the Windows Server Network Policy Server (NPS) server role
- Admins must set up point solutions for unmet requirements outside the Google Workspace x AD integration
Fortunately, Google Cloud Identity makes it possible to federate with other Identity Providers (IdPs). Google recognizes that one size doesn’t fit all and has positioned JumpCloud as the appropriate option for the SME segment, especially when organizations are migrating from AD.
Google and JumpCloud have partnered to offer a productivity and IT management package. This combination gives small and medium-sized enterprises (SMEs) a true alternative to Microsoft’s solutions to extend Workspace identities for seamlessly and centrally managed IAM with unified device management.
JumpCloud’s Open Directory Platform
Active Directory prevents many businesses that use Google Workspace from making the full switch to the cloud. Fortunately, there’s a way to modernize your IT stack while getting the most out of Google Workspace: JumpCloud’s open directory platform. JumpCloud offers a cloud directory as a replacement for, or upgrade to, Active Directory. Like Active Directory, it serves as a central user platform for an organization; unlike AD, it integrates seamlessly with Google Workspace as well as with other cloud-based and on-prem applications. It offers an alternative sync strategy for Workspace that may better support the authentication and device management requirements of SMEs that want to adopt a Zero Trust security strategy.
Supported protocols include:
- SSH keys for server management, which are more secure than passwords
- Passwordless certificates can secure RADIUS Wi-Fi access
- LDAP with integrated MFA
- SAML and OIDC for web app authentication, with a growing collection of connectors
JumpCloud operates on a platform-independent architecture, so it can be used by organizations running various operating systems and platforms, including Apple, Android, Linux, or Windows endpoints, regardless of device location. JumpCloud delivers modern authentication to assist organizations in implementing Zero Trust security strategies via MFA, conditional access, and passwordless AuthN methods. Policy templates establish healthy security postures for devices.
JumpCloud also offers integrated IT management solutions for your fleet with Remote Assist, reporting capabilities, and a Password Manager. Cross-OS patch management is available as an add-on; it also includes the capability to manage every popular web browser.
AD Synchronization and Migration
Still require AD? JumpCloud can become the new source of truth while maintaining your organization’s investments in AD. The value of this is to extend and add-on to the IAM infrastructure without having to do consolidation, migration, or deep integration. The added benefit is that JumpCloud will enable your team to leverage the most IT resources possible while admins maintain centralized control over their identities, entitlements, and devices.
JumpCloud Active Directory Integration (ADI) and Active Directory Migration Utility (ADMU) make it possible to sync changes bidirectionally or migrate a domain from AD into JumpCloud. For example, a password that’s changed within JumpCloud will sync back to AD.
Manage Google Workspace with JumpCloud
Are you ready to explore using JumpCloud’s open directory platform as your IdP? Sign up for a free trial to get started.