www.onelogin.com | 150 Spear Street, Suite 1400, San Francisco, CA 94105 | 855.426.7227
The Top 3 Identity Management
Considerations When Implementing
Google Apps for the Enterprise
Google Apps for Work (formerly known as Google Apps) is quickly becoming one of the most popular cloud-based solutions on the market today. It continues to lack, however, basic features and functionality that enable IT to operate effectively in enterprise
environments and ensure the security of information accessed through the Apps.
To populate user identities into Google Apps, Google Apps for Work requires integration into the enterprise identity repository via Google Apps Directory Services (GADS). GADS is used to replicate the existing Active Directory or LDAP compliant user identities, and access
permissions to the Google Apps domain. IT organizations attempting to secure Google Apps with GADS are often challenged by its limited scalability, delayed on and off-boarding, and lack of desktop Single Sign-On (SSO).
This paper details these three significant GADS limitations and their potential impact.
Limited Enterprise Scalability
In order to enable Google Apps for business users, additional technology must be deployed in order to meet basic operational requirements of the enterprise. Specifically, this includes:
Google Apps Directory Services (GADS); to replicate identities and permissions to the Google Apps domain (GADS) and,
Google Apps Password Sync (GAPS); a tool required for passwords to work across both AD and Google Apps.
GADS performs directory synchronization by comparing any changes in the local Active Directory or LDAP compliant server to the Google Apps domain. It then updates the changes on a periodic basis using Windows Task Scheduler or a cron job. For something as mission critical as directory synchronization, an external application such as Windows Task Scheduler is required for constant monitoring to ensure the synchronization is actually taking place.
Unfortunately, GADS has a number of limitations for larger organizations using multiple AD domains, as GADS can only support one Active
Directory domain and a single forest by default. Multiple AD domains can be synchronized with GADS, but the process is very complex and requires extensive knowledge of LDAP query scripting. The more domains added, the greater the complexity incurred and potential errors during the synchronization process.
www.onelogin.com | 150 Spear Street, Suite 1400, San Francisco, CA 94105 | 855.426.7227
Directory Synchronization is
Network Intensive and Not
Real-Time
One of the most significant limitations when considering GADS for directory synchronization is delayed on- and off-boarding. Scheduled processing of any changes between an organization’s directory services and Google Apps for Work does not happen in real-time, leaving
users and access permissions in limbo until updates from the identity repository to the application infrastructure are fully propagated.
In addition, passwords between Active Directory and Google Apps are not automatically synchronized, as the native Active Directory and Lotus Domino password formats are not supported. Therefore, a secondary application - Google Apps Password Sync (GAPS) - is required for passwords to work across both AD and Google Apps, with all required password changes performed in Active Directory. This requirement for password synchronization adds an additional application for IT to manage and a potential point of failure, further increasing the burden on IT and their workload overall.
Desktop Single Sign On
Requirements for Windows
Environments?
Originally developed a number of years ago, GADS appears to receive an update only once a year and has not received any new features or updates since July 2013. An inconsistent development cycle with limited project resources has left GADS lacking a number of critical enterprise features and bugfix responses that are required in critical enterprise deployments.
For example, GADS does not support Kerberos-based authentication. This is a baseline requirement in many Windows-centric enterprise environments moving towards SSO. Kerberos-based authentication allows a user already authenticated into a Windows network to seamlessly authenticate to other application resources via Active Directory - without submitting their login credentials twice.
www.onelogin.com | 150 Spear Street, Suite 1400, San Francisco, CA 94105 | 855.426.7227
OneLogin is an Enterprise Identity
Management Solution for Google
Apps for Work
Unlike GADS, Onelogin handles complex directory structures, delivers instant user on and off-boarding, is lightweight on your network and provides desktop SSO. In addition, OneLogin provides SSO for all your apps, mobile identity, cloud directory, strong authentication, user provisioning, compliance reporting and is free forever for up to 3 applications, including Google Apps for Work.
IS THERE SUCH A THING AS SECURE GOOGLE APPS AT
WORK? ONELOGIN IS THE ANSWER.
OneLogin Handles Complex
Directory Structures
OneLogin can virtually consolidate multiple disparate identity
repositories and present them as a single unified directory to thousands of different cloud applications in real time. This real-time directory integration means that all directories are updated whenever user modifications are made - with changes propagating through to connected services like Google Apps within seconds.
www.onelogin.com | 150 Spear Street, Suite 1400, San Francisco, CA 94105 | 855.426.7227
OneLogin Delivers Instant
Off-Boarding
With OneLogin, you can also instantly enable or disable application access and the automatic synchronization between Workday, AD and other cloud apps providing enterprises with an effective kill switch for off-boarding. This capability is critical when eliminating backdoor access to Google Apps through protocols like IMAP and POP3 to eliminate unauthorized access.
OneLogin Delivers Desktop Single
Sign On
For employees on a OneLogin-enabled corporate network, there’s no longer the need for additional usernames and passwords to access cloud-based applications. Users can use their Windows credentials via Desktop SSO from either a PC or Mac to seamlessly access Google Apps and other SaaS applications by delegating authentication via Windows Active Directory.
www.onelogin.com | 150 Spear Street, Suite 1400, San Francisco, CA 94105 | 855.426.7227
The limitations of Google Apps
Directory Services (GADS)
when deployed in an enterprise
environment are clear.
The lack of basic features and functionality required for Google Apps for Work to operate effectively with your existing identity infrastructure and ensure the security of information can challenge even the most experienced IT department.
OneLogin offers a compelling alternative without the limitations of GADS, offering full enterprise Identity and Access Management (IAM) and Desktop SSO for Google Apps for Work deployments in multi-domain AD environments.
OneLogin is the innovator in
enterprise identity management
and provides the industry’s fastest,
easiest and most secure solution
for managing internal and external
users across all devices and
applications.
The only Challenger in Gartner’s IDaaS MQ, considered a “Major Player” in IAM by IDC, and Ranked #1 in Network World Magazine’s review of SSO tools, OneLogin’s cloud identity management platform provides secure single sign-on, multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more.
OneLogin is SAML-enabled and pre-integrated with thousands of
applications commonly used by today’s enterprises, including Microsoft Office 365, Asure Software, BMC Remedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMC Syncplicity, EchoSign, Google Apps, Innotas, LotusLive, NetSuite, Oracle CRM On-Demand, Parature,
www.onelogin.com | 150 Spear Street, Suite 1400, San Francisco, CA 94105 | 855.426.7227
OneLogin is the innovator in enterprise identity management and provides the industry’s fastest, easiest and most secure solution for managing internal and external users across all devices and applications.
The only Challenger in Gartner’s IDaaS MQ, considered a “Major Player” in IAM by IDC, and Ranked #1 in Network World Magazine’s review of SSO tools, OneLogin’s cloud identity management platform provides secure single sign-on, multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more. OneLogin is SAML-enabled and pre-integrated with thousands of applications commonly used by today’s enterprises, including Microsoft Office 365, Asure Software, BMC Remedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMC Syncplicity, EchoSign, Google Apps, Jive, Innotas, LotusLive, NetSuite, Oracle CRM On-Demand, Parature, Salesforce.com, SuccessFactors, WebEx, Workday, Yammer, ServiceNow, Zscaler and Zendesk. OneLogin, Inc. is backed by CRV and The Social+Capital Partnership.
