By Greg Keller Posted September 15, 2015
Google Apps is, without a doubt, a standout tool for employee productivity. For cloud-enabled companies, Google Apps is also the main access point to a company’s online resources and applications, including email inboxes, calendars, and documents. At the center of Google’s collaboration suite are its user accounts, and these user accounts house the single identities that give each employee authorized access to a company’s Google Apps suite, or many other applications leveraging Google’s OpenID standard.
Ideally, Google Apps and that single user identity would be the only access point. But IT administrators know that there is a lot more that must be—or at least should be—managed by an employee’s identity, such as other SaaS applications that range from CRM software to financial and accounting applications, cloud-storage solutions like Dropbox, servers and databases, LAN and WiFi access, individual machines, and many other services and resources.
So, using a user’s Google Apps identity for access to all services and resources just isn’t feasible. But here’s how the ideal situation would work: IT administrators looking to give users seamless access to a company’s resources would sync their Google Apps identity across everything. And while standards like OAuth 2.0 have eased the integration of a simple authentication layer above web-based applications, leveraging Google accounts across physical infrastructure (e.g. workstations) and other IT resources has unfortunately been largely impossible.
Much of the complication in re-purposing or extending Google accounts to IT infrastructure is related to Google’s infrastructure not having a standards-based directory. This would invariably force a lot of manual and redundant user profile management due to Google’s identity silo. Single sign-on (SSO) solutions have largely solved the challenge of syncing Google accounts across other web-based/SaaS applications, yet challenges still remain in syncing accounts with other resources, such as networks, multi-platform systems (e.g., Windows, Mac OS X, and Linux), and other hosted solutions, like Amazon Web Servers or Google Compute Engine.
An Active Directory Bridge
A bridge to Microsoft’s Active Directory (AD) or LDAP is the most common solution to link some of these resources to Google accounts. This bridge, known as Google Apps Directory Sync, or GADS, is Google’s middleware component to tie Google accounts to a master directory. For the typical use case, Active Directory serves as the authoritative identity store, which then extends to and synchronizes with the Google Apps Directory. Importing from Google Accounts to AD, however, is still challenging and requires an IT admin to install, configure, and manage a middle-tier piece of software on a server. Plus, to sync Google passwords with the directory, another self-managed piece of software is required (GAPS, or Google Apps Password Sync).
Many single sign-on solutions provide similar functionality as GADS by taking care of the password sync component and, of course, including the SSO functionality to other SaaS applications as well. But these single sign-on solutions still rely on an on-premises directory,such as AD or LDAP, to be the true identity store for Windows-based platforms. The situation is similar for Mac and Linux machines. Not ideal. What is ideal, however, is a continuous sync with Google Apps—not merely updates in batch processes, because this creates account discrepancies or, worse, leaves your organization vulnerable if an account is compromised or needs to be de-provisioned quickly.
For cloud-enabled companies, on-premises solutions are usually a means of last resort, especially if these on-premise solutions are being used only to gain incremental directory services with Google Apps. While a directory is undoubtedly a key part of IT management, it shouldn’t require the significant investment in infrastructure and on-going maintenance that a hosted solution demands.
This is why many organizations have turned to a Directory-as-a-Service solution. JumpCloud has built an easy Google Apps account provisioning and sync feature that allows IT admins to import and manage accounts easily, while keeping them in constant sync with their Google Apps directory—all within a single, cloud-based and centralized directory that can access the things that SSO solutions cannot: Windows, Mac, and Linux systems, WiFi networks, and nearly every other IT resource across an organization.
If you’re interested in leveraging Google Apps identities for the rest of your IT resources, contact us today. You’re just one step away from the ideal IT solution.