By Kayla Coco-Stotts Posted January 2, 2020
One of the most sought-after Microsoft® Active Directory® (AD) add-ons is web application single sign-on, with good reason. Single sign-on for web applications dramatically increases ease of access for the user looking to utilize Software-as-a-Service (SaaS) resources while providing IT admins with the tools they need to keep user and network information secured from hacking threats. With such a beneficial tool at the ready, IT admins have increasingly begun to explore how to sync AD with web applications.
How do I Integrate an Application with Active Directory?
Thankfully for IT admins, there exist a host of solutions responsible for connecting users to resources outside of the Windows® environment. It’s important to note that these solutions require varying amounts of planning, implementation, and maintenance, which will be covered below.
Most of these are singularly focused on single sign-on (SSO) solutions, thus requiring IT admins to handle multiple add-ons to extend AD to the other IT resources (e.g. macOS® & Linux® systems, on-prem apps, etc.) that users may need or want to access. These add-ons, though minor at first, can snowball into expensive, time-intensive services that only offer specific answers to one particular problem.
Integrate Third-Party Solutions with Active Directory
First generation Identity-as-a-Service (IDaaS) solutions, commonly known as SSO services, came about in response to user preference for cloud-based productivity suites like G Suite™ (formerly Google Apps for Work) and Office365™, and web-based applications such as Salesforce®, Github, Slack®, and many more.
These first-generation services were meant to be used in conjunction with Active Directory, giving IT admins two interfaces to maintain and work from so users could be securely connected to the resources they wanted to use.
Web application SSO solutions use the SAML protocol to keep data transpired between AD and web applications secure. However, it’s important to note that SAML authentication alone is not the most secure way to protect organizations from potential hackers, and it is recommended to use multi-factor authentication (MFA) in conjunction with third-party SSO web application solutions.
The issue with web application single sign-on services is that they sit on top of Active Directory, decreasing productivity for admins by splintering a previously singular interface. In addition, admins currently paying for Microsoft licensing and services increase costs by adding these third-party add-ons to bridge AD to cloud services.
Leverage Microsoft Active Directory Federation Services
Active Directory Federation Services (AD FS) was born out of Microsoft’s response to admins’ increasing need to find a way to authenticate and authorize users to web applications and productivity suites.
As a software component, AD FS works to authenticate users between AD and various web applications. AD FS works in conjunction with AD, acting as a component that establishes trust between the Windows® domain controller and another service, most commonly a web application, which then either grants or denies a user access to a given resource.
Although AD FS’s software is more integrated with the Microsoft stack than third-party solutions, it’s still seen as expensive to use (requiring additional licensing) and somewhat insecure, as it does not offer native MFA for the applications users are trying to access. With cybercrime rising at exponential rates, IT admins will have to install extensions to implement MFA within AD FS.
Additionally, AD FS is generally housed either on-prem. The AD FS server can be installed in the cloud to communicate with AD’s on-prem domain controller. This federation sync can take anywhere between 15 and 45 minutes, decreasing productivity for admins waiting for their hybrid environment to entirely sync during instances of onboarding or offboarding.
If AD FS is housed on-prem in conjunction with AD, then admins need to keep flexibility in mind when confronting the time and costs required to procure, integrate, and maintain additional servers.
Of course, more recently, IT admins have the option of leveraging Azure Active Directory as an extension to Active Directory on-prem for web applications. This approach can be interesting for some organizations that are largely Microsoft and Azure focused. IT admins should note that the process of extending AD to the Azure AD and ultimately web applications is not easy, nor without cost. There are usually a number of different solutions required (e.g. Azure AD Connect), and a per user license fee for leveraging Azure AD’s web application SSO services. Of course, the other issue is that IT admins will be closely tied to Microsoft and Azure solutions making it difficult to integrate macOS, Linux, AWS, G Suite, GCP, and many others.
Integrate Active Directory with a Cloud-Based Directory Service
The biggest challenge admins face when syncing AD with web applications is that end users need resources beyond web applications. Users can require a variety of resources to accomplish their daily needs, including:
- AWS® cloud servers and network infrastructure
- MacOS and Linux systems
- WiFi networks and VPNs that connect users to their applications and data
Ideally, IT admins could find a solution that syncs AD with web applications, as well as all these other non-domain IT resources. JumpCloud® Directory-as-a-Service® makes syncing users to resources simple, secure, and admin-friendly. Think of this process as True Single Sign-On™.
With built-in SAML 2.0 and LDAP support, admins are able to authenticate users to virtually any application or productivity suite they need. Additionally, DaaS offers native MFA and RADIUS functionality so that all access and data are protected, no matter the system, application, or network.
For admins looking to keep Active Directory as their core identity provider, JumpCloud’s AD Integration joins legacy directory services with modern needs, all while maintaining a singular interface to Make Work Happen™.
If interested in learning more about JumpCloud’s ability to sync Active Directory with web applications, check out our guide to Directory-as-a-Service. Alternatively, you and up to 10 users can try out our domainless directory service entirely free.