Three Ways to Integrate Active Directory with Your Saas Applications
Challenges of Software as a Service
The adoption rate of software as a service (SaaS) has been dramatic in recent years, moreso in 2020. In a recent study, 54 percent of IT and security leaders confirm that the COVID epidemic accelerated migration of user workflows to cloud-based apps. Trials of applications like Salesforce, AWS, and Workday have transitioned to enterprise-wide deployments, and many organizations have adopted “SaaS first” policies.
However SaaS adoption is not without its challenges. SaaS applications tend to be siloed, and that has made managing user access and authorization an increasing challenge. The task of onboarding users is a time-intensive, manual process that involves administrators across multiple departments. This can introduce security risks. For example, because there is frequently no central user directory, oftentimes access is not revoked right away when an employee leaves the company, permitting the former employee to retain access to critical systems. And while Zero Trust has dismissed the idea of the trusted internal network, and has been a boon to productivity, it poses adoption challenges. IT departments must find a way to harness the benefits of SaaS, while minimizing business risk.
The Importance of Active Directory Integration
For years, in most enterprises, Microsoft Active Directory (AD) has been the authoritative user directory that governs access to basic IT services. But AD has proven to be a challenge to cloud adoption. SaaS applications have their own native user directories and often are not connected to Active Directory. This is because AD was used to control access to a broader set of business applications and IT systems. It was not designed to live in the cloud or easily integrate with cloud applications.
AD’s future is not guaranteed. And yet many companies are still using it today. Thus it’s critical for IT to find ways of seamlessly integrating their applications to AD. As SaaS application usage grows, this user directory duplication causes complication and hassle—for both IT departments and users. Users have to remember user IDs and passwords, not only for their Windows network, but for each SaaS application as well. IT has to create and manage user accounts in both Active Directory and numerous SaaS applications, and must manually map AD users to corresponding accounts in SaaS applications.
Managing multiple separate cloud user directories in addition to Active Directory can easily lead to a set of untenable security and access management challenges. To help customers move to the cloud, seamless integration with AD is a must for any solution used to manage access and authorization to SaaS applications.
True integration with Active Directory must address all of these challenges and provide:
- Two-way user and group synchronization: As users and groups are added to and removed from AD, these changes should be reflected in the SaaS applications. In specific cases, SaaS applications should be able to push user profiles and groups to AD
- Access provisioning and deprovisioning: When a user is added to AD, the relevant SaaS applications should be automatically provisioned and, conversely, when a user is removed from AD, SaaS access should be automatically revoked.
- Single sign-on (SSO): Users should be able to sign on to the Windows network once, and then easily access their SaaS applications without having to enter an additional set of credentials.
There are three different options for integrating Active Directory with SaaS applications that meet the requirements above with varying degrees of success.
Option 1: Independent Integrations with AD
Some of the largest and most established SaaS applications offer their own AD integration tool, or they expose an API that allows you to develop a custom integration with Active Directory yourself. Google Workspace, Microsoft Azure AD, and Salesforce. com are all prominent examples of this approach. And all have notable issues.
Google Cloud Directory Sync provides one-way pushing of users from Active Directory into a Google Workspace account. It presents a flexible way to define which users (and user attributes) are imported. However, the setup and administration is completely separate from the Google Suite administration console, which forces admins to manage this from a locally installed utility instead. There is no concept of ongoing synchronization (synchronization must be implemented manually), and more importantly, this tool does not support single sign-on. To provide SSO, organizations must use yet another thirdparty solution, which results in two separate administration models and user stores for SSO and user management.
Microsoft Azure AD Connect also provides one-way pushing of users from Active Directory into Azure AD. Administrators can use this tool to both provision and deprovision users in Azure AD (Microsoft 365) when they are added or removed from Active Directory. Similar to the Google Workplace tool, it is decoupled from the primary administration experience and managed via the on-premises utility. It also does not provide SSO, again resulting in two separate administration models and user stores
Salesforce.com has created Identity Connect at additional licensing costs. The setup however is complex and siloed from the Salesforce administrative experience—you have to manag