G Suite and Active Directory Authentication
As G Suite pushes deeper into the market, now reaching nearly 6 million organizations managing some 60 million user accounts, organizations adopting G Suite are facing an inevitable requirement to ‘unify’ identities for centralized control, compliance, and security needs. In many cases, organizations are utilizing Microsoft Active Directory, a self-hosted and self-managed directory solution. The challenge is to ensure uniformity between an employee’s identity in Active Directory and their Google User Account.
To assist in situations like this, Google offers a self-hosted and managed ‘middleware’ application called G Suite Directory Sync, commonly known as ‘GADS’. This software is installed on a Windows or Linux server, and is integrated with Active Directory to enable user profiles to be pushed and subsequently updated from AD to G Suite. As a self-hosted solution, GADS requires the organization to administer and manage all uptime and availability chores, ensure a stable and reliable connection between G Suite and Active Directory, and secure the system.
A typical configuration of GADS is as follows. GADS will be installed on premises (or on a co-located/IaaS server owned by the organization) and integrated with the G Suite domain owned by the organization:
After the GADS utility is installed and deployed, the utility works by being configured through a GUI accompanying the utility to input AD’s server settings and connection information. It will then prompt the administrator for Google domain connection credentials and finally will allow the definition of the type of data that must be synchronized from the AD server to Google.
Passwords are another issue when utilizing GADS. GADS does not utilize deep encryption methods and only passwords stored in SHA-1 or MD-5 encryption are readable (it should be noted that SHA-1 was cracked many years ago). Further, these passwords can not be salted hashes, further complicating security needs.
A Modern and Alternate Approach to managing G Suite: – JumpCloud
Modern, cloud-forward companies – especially those that are eliminating much of their on-premises or internally managed applications and services – do have other means to control and manage identities governing their G Suite accounts along with the entire compliment of their on-premises and cloud-based resources. JumpCloud is the first Directory-as-a-Service (DaaS™) provider, centralizing identity management over all IT resources from the cloud as a highly secure, simple to use, and always-on service.
In the diagram below note the the differences from the previous diagram. Key points to observe:
- Central, cloud-based identity management –- eliminates on-premises directories.
- Bi-directional workflow with G Suite –- requiring no self-managed GADS utility and can both consume and provision identities between JumpCloud and G Suite.
- Remote management of Mac OS X, Linux, and Windows employee workstations and other IT resources.
- Remote management of cloud-based infrastructure such as Linux and Windows servers.
Many companies feel beholden to make G Suite work with an AD or LDAP solution, as these have traditionally been the core piece of IT infrastructure for on-premises identity management. But as more and more IT resources move into the cloud, it has become more logical to rethink a traditional solution in favor of a more modern one that is specifically designed for the cloud. A DaaS solution such as JumpCloud provides an alternative approach to Google App authentication that works nicely with AD or LDAP infrastructures but that is not beholden to them, giving modern companies a new tool to work seamlessly with G Suite and other cloud-based resources in addition to on-premises machines and networks.