Single Sign-On and Group Policy

By Kayla Coco-Stotts Posted February 12, 2020

On-prem single sign-on (SSO) to Windows-based applications/systems and Group Policy Objects (GPOs) are both features included in the Windows® Server’s Active Directory role that admins have employed to manage IT resources and users for decades.

GPOs are used to execute policies and tasks on the Windows platform. Additionally, controlling access to on-prem Windows apps and systems is also a core function of AD. Some might even call that the first pass at single sign-on since one set of credentials was needed to access on-prem Windows-based resources. Both are indispensable in helping admins manage their IT environments, but only function optimally in organizations that maintain a strictly Windows-based, on-prem environment.

However, as IT infrastructure continues to evolve in favor of cloud-based innovations — and away from the legacy directory service, AD —  Microsoft’s access control for Windows-based systems/applications and GPOs struggle to work in cloud-based, heterogeneous environments. Below, we’ll discuss the implementation of a next generation concept, True SSO, and group policies, as well as solutions for circumventing the issues that arise when trying to support cross-platform, cloud-forward IT infrastructure.

What Is SSO?

Before cloud-based infrastructure existed, AD introduced the initial concept of SSO by allowing users to leverage a single set of credentials to access all their Windows-based resources (such as systems, on-prem applications, and networks). Legacy IT environments were structured around Windows infrastructure and on-prem hardware, so AD managed virtually all resources.

Fast forward a few years, and today’s idea of SSO (mainly web application SSO now) is a major facet of identity and access management (IAM), allowing users to employ their credentials for the applications they access.

Whereas applications used to be solely installed on-prem, modern web applications exist outside the four walls of the office. First generation web application SSO solutions came about in response to the common workplace inclusion of SaaS applications like Salesforce®, Slack®, and G Suite™ (formerly Google Apps) that exist in the cloud. These SSO solutions were great for controlling and monitoring access to web applications, and came with the added bonus of existing in the cloud.

However, Active Directory struggles to authenticate users to web applications. As a result, most IT teams have settled for layering web application SSO solutions on top of their existing directory service. Unfortunately, this method of layering can be costly when combined with the existing maintenance and fees of Active Directory (as well as the fact that multiple add-ons are needed with AD), and oftentimes IT teams struggle to juggle the identity separation that results from layering providers. 

What Are Group Policies?

Microsoft’s Group Policy Objects give IT admins the ability to execute scripts and tasks at boot-up, shutdown, or ad hoc. Included with AD, GPOs manage Windows fleets with policies that include:

  • Mapping network drives
  • Enabling screen lock
  • Disabling guest accounts
  • Adding password complexity
  • Disabling USB ports 
  • Managing security settings
  • Connecting to internal file servers and printers
  • Configuring additional setting

GPOs allow admins to control Windows system behaviors, which is a critical tool for compliance and security. Unfortunately, GPOs struggle in modern organizations. When it comes to system management, GPOs only cover Windows-based infrastructure, and do not manage macOS® or Linux® machines.

Modern SSO and Group Policies

Both on-prem, Windows-based access control and GPOs are powerful tools that help IT departments manage their users, systems, and applications. However, modern IT infrastructure is often mixed, with users employing a variety of cloud-based applications and systems either remotely or within their organization. Ideally, today’s directory solution is one that offers group policies (i.e. system or device management) and True Single Sign-On™ solutions that authenticate to any application or system, regardless of provider.

JumpCloud Directory-as-a-Service

JumpCloud® Directory-as-a-Service® (DaaS) is the first cloud directory service that employs a number of protocols and services that authenticate users not only to a variety of web applications but to virtually all their IT resources. DaaS uses the SAML 2.0 protocol for web applications, and provides an SSO experience for on-prem and legacy apps via LDAP.

JumpCloud also offers a managed group policy like solution that supports cross-platform environments, ensuring that True SSO is possible for virtually any IT environment. With True SSO, admins can authenticate users to their resources through a single interface. In addition, users can leverage one set of credentials for all systems, applications, and networks, making authentication a truly seamless and secure process.

What’s more, with JumpCloud’s Policies, admins can execute GPO-like commands and scripts for all systems from the cloud. Through JumpCloud’s directory services, admins can simplify IT management and manage users, systems, applications, and networks from a single console.

Learn More

Interested in finding out more about JumpCloud Directory-as-a-Service? Feel free to register for a personalized demo to see DaaS’s Policies and SSO in action, or you and up to 10 users can sign up for free.

Kayla Coco-Stotts

Kayla is a content writer at JumpCloud with a B.A. in Print Journalism from the University of Kentucky. She hails from St. Louis, Missouri, and loves to eat good food and hike Boulder's beautiful trails when she is not writing.

Recent Posts