By Ryan Squires Posted January 3, 2020
Is it possible to have one login to systems, apps, and networks? To rephrase the question, can you implement a single identity for a user to authenticate into macOS®, Windows®, Linux®, web applications, and WiFi? The challenge starts with the foundation of identity and access management (IAM): the directory.
Let’s start with the conventional approach to unifying user identities (Microsoft® Active Directory®) and move from there to modern alternatives.
One Login for All Resources with AD
With a legacy tool like Active Directory (AD), integrating non-Windows systems marks the first hurdle. Microsoft did not build AD to accommodate Mac® and Linux systems, so you’ll need an identity bridge to bind non-Windows users to AD. This enables users to authenticate their Mac and Linux logins against the directory and IT admins to manage users on those devices.
That’s one piece of the equation, but you still need to enable access to applications and networks with a single login.
For app access, IT admins need to layer even more onto AD. You could go with Azure® Active Directory (Azure AD or AAD) for SSO, but if you go the AAD route, you need to realize it’s not a replacement for AD. You’ll use them in conjunction.
AAD may not represent the best solution for everyone, and IT admins must mull over many considerations. There are a wide range of web application single sign-on solutions available that can federate AD identities to the web. Of course, you will create one login to your on-prem Windows systems and web applications, but you may not be able to achieve that in one solution.
Further, you’ll want to consider additional requirements related to the provisioning and management of web application access. Do you need Just-in-Time (JIT) provisioning and/or the System for Cross-domain Identity Management (SCIM) protocol? Is the usability of the user portal an important piece to the equation? What about pricing?
Note: Check out our SSO Buying Guide for more.
Many factors go into choosing an SSO provider. But here lies the simple truth: No matter if you pick AAD for SSO or another IDaaS (identity-as-a-service) solution, you now have at least four solutions to fuse together for systems and applications.
For organizations using on-prem AD, network authentication through RADIUS generally happens via a Network Policy Server (NPS). NPS integrates easily with AD because it’s a Microsoft solution, so this may not be the most difficult part of the equation. Additionally, you could leverage FreeRADIUS as your RADIUS authentication server with AD as the user store. Either way, the core user identity that RADIUS authenticates against resides in the directory.
The challenge with RADIUS will always center on integrating the solution with everything that exists in your environment. That means incorporating it with the identity provider, systems, WAPs, VPNs, switches, and routers. Your RADIUS server becomes another resource to manage, bringing the total to five in our example.
Identifying the Problem
Of course, these aren’t the only tools you must integrate. When you bring MFA and SSH keys into the equation, you’re looking at around seven total tools to manage identity and access, depending on what additional tools you use.
That’s a lot to integrate, manage, and pay for. Ultimately, your job is to make your users’ lives easier while securing your assets. But who helps you? Having a single solution where you could manage your systems, applications, files, and networks from a single interface would benefit you greatly. And delivered as a service, the infrastructure that powers it would require no management on your end. One such solution is Directory-as-a-Service® (DaaS).
Cloud-Based Directory Services
DaaS eases the challenges of decentralized identity and access management (IAM). Users can leverage a single identity to access:
- Systems (Windows, Mac, Linux)
- Applications via LDAP and SAML
- Networks through RADIUS
- Files in the cloud and on-prem
- SSH key access to AWS® and others
For peace of mind you can then protect systems, applications, and networks with a second factor of authentication (MFA) leveraged from popular 2FA apps like Google Authenticator™. Instead of having to integrate upwards of seven tools to perform IAM management tasks, you can replace AD with JumpCloud and make that number just one. Or if you must maintain AD on-prem, that number becomes two.
Finally, because JumpCloud provides this functionality as-a-service, you don’t have to maintain these tools. Our team of experts manages the infrastructure and you manage your users. And your users get one login identity to their systems, apps, and networks.
Try JumpCloud Today
Ready to leave behind the pile of IAM products taking up your time and capital? Schedule a demo or sign up for a free account to see all the ways JumpCloud simplifies your IAM needs. When you sign up your first 10 users are free forever.