G Suite Directory Service
Definition of a Directory Service
A directory service is a database that maps users, IT resources, and the relationship and access between the two, in one central location. IT resources could include computers, smartphones, tablets, applications, Web-sites, file stores, or printers. The database is queried in the form of LDAP, Kerberos, SAML, OAuth, or a wide variety of other authentication protocols. The directory service then responds to the queries with information confirming a user’s attributes and access rights or denying them.
Directory Services in the Context of G Suite
The G Suite directory service, administered through the G Suite Admin console, provides limited directory services for the world of G Suite. From the Admin console, administrators can set up a domain for their company and assign various levels of access and permissions for users within that domain to access G Suite services, such as Hangouts, Drive, etc., in addition to attaching various attributes to their users’ profiles, such as contact details that can be searched within a shared domain directory.
A major component of the G Suite directory service includes organizational units (OUs), which allow users to be grouped by a particular set of access and permission levels. These OUs can be arranged in a hierarchy to allow more exacting levels of specificity as required. When an individual user tries to access a particular service, he or she is authenticated against the G Suite directory and provided access according to the permission and access levels assigned.
The G Suite admin console can give most administrators a satisfactory level of control for very basic corporate IT setups that generally only depend on G Suite. However, as an organization matures and scales, its IT needs and resources generally increase as well. Best practices and basic security requirements demand that administrators control access to much more than just G Suite services, which is where the G Suite Admin console falls far short as a directory service.
Why G Suite Isn’t a Directory Service
The G Suite directory service is more accurately described as a contact database for users within a domain that also controls users’ access to G Suite services, but authenticating for anything beyond that is frankly beyond the scope of the G Suite directory. Many third-party web apps have built in the functionality to authenticate against the G Suite directory using OAuth, but authenticating users for resources that use other protocols like LDAP or SAML is challenging since these are not supported by G Suite. This includes internal as well as cloud servers, WiFi and RADIUS networks, Windows, Mac, or Linux systems, and other common IT resources.
Extending Directory Services to G Suite
Given the limitations of G Suite as a directory, IT Administrators have a few options:
IT administrators can develop their own scripts to create a translation layer between OAuth used by Google and other protocols. However, this is a highly manual process, and many organizations do not have the technical capabilities. Even if they do, their resources are better spent elsewhere, and an internal directory would still be needed to keep track of users.
G Suite Directory Sync (GADS) is a piece of middleware that organizations can host and manage themselves in order to connect other on-premises directories, such as Microsoft Active Directory (AD), to the G Suite directory. This option is also resource-intensive, but it allows companies that already have an LDAP-based directory to create a one-way bridge into G Suite, meaning that AD user profiles, for example, can be pushed into Google, but not vice-versa.
A few other third-party solutions, such as those provided by some single sign-on providers, exist and provide similar functionality to GADS, but nearly all depend on an existing, on-premises directory solution. In addition, this is only a partial fix: additional hurdles remain if users also need to be managed on Mac or Linux systems, for example.
A Directory-as-a-Service® (DaaS) solution is a more modern approach to solving the problem that avoids the need for on-premises or middleware solutions altogether. JumpCloud’s DaaS solution can import the G Suite directory and centralize it under a cloud-based directory that has multi-protocol authentication layers already built in, allowing it to take the same credentials used to authenticate against G Suite to also authenticate against internal servers, RADIUS networks, laptops and PCs using Windows, Mac, or Linux systems, and nearly any other IT resource.
The solutions aimed at G Suite directory services have traditionally been focused on attempting to leverage an existing AD or LDAP infrastructure. However, with many modern companies leveraging cloud solutions like G Suite, it defeats the purpose to move to an on-premises directory. JumpCloud has reimagined AD and LDAP in the cloud, providing a true G Suite directory service that can also securely manage and connect employees to all of their other IT devices, applications, and networks.