In a majority of today’s enterprise environments Microsoft Active Directory is used as the primary directory service. This worked very well in the past 17 years, due to its ability to centralize user and device management and provide a clear hierarchical structure of enterprise resources.
However, today’s modern workplace introduces new requirements, which are hard to be met with traditional concepts. To understand these challenges a little bit better, lets first discuss the main tasks of a directory service:
- Authenticate users
- Authorize users to applications
A traditional on premise directory service like Microsoft AD can fulfill these tasks well as long as we are mainly dealing with non-mobile desktop computers and internal applications based on a corporate network.
But today’s world is different.
The mobile workforce is not only using mobile computers like laptops or MacBooks, it more and more does not use any computers at all, but mobile devices like tablets and smartphones. Although mobile accounts (in Active Directory) is a workaround to solve the fact that more and more computers are not connected to the internal network when users log on, admins know the pain of cached credentials and the consequence of hanging machines waiting for timeouts while trying to reach a domain controller. The problem even increased since laptops are just put into sleep mode rather than shut down.
Beside the user behavior, also the application landscape has changed dramatically. Client / server applications are exchanged by web based apps, which tend to be more often off premise (cloud Software as a Service). While internal client/server software was mainly based on Kerberos authentication, web based SaaS offerings use different, more Internet compatible authentication protocols like SAML or OAuth.
In a nutshell, the modern workplace requires a different set on functionality:
- Support for the mobile workforce on devices connected to the Internet
- Support for Internet based SaaS applications using SAML/OAuth authentication protocols
Internet based directory services try to meet these requirements. As their name implies, these directory services are accessible from the Internet and therefore provide authentication services regardless if the user is in the internal corporate network or on the Internet. Furthermore they are designed to federate with SaaS applications and provide single sign on to internal and external web applications.
Even Microsoft understood the importance of Directory as a Service for the future workplace. Azure AD is Microsoft’s DaaS implementation, highly integrated in the Windows 10 platform. A Windows 10 device can be bound easily to Azure AD. The built in mechanism enables a user to logon to the device with his/her Azure AD credentials. The basic concept is similar to Active Directory mobile accounts. When the device is not online (or cannot reach Azure AD), cached credentials are used to authenticate the user. But, this new implementation of the mobile accounts can handle network switches while on standby far better than AD did in the past.
Independent DaaS providers are introducing more OS agnostic concepts. Jumpcloud for example, works with pure local accounts. It controls those accounts through an agent installed on the device. Local accounts work best in an offline / Internet based scenario as they don’t require any network connectivity or reachable infrastructure. The combination of local accounts and central management of them is an interesting best of both worlds approach. Furthermore, as local accounts exists on macOS and Linux, too, this solution is not limited to Windows devices only.
On premise directory solutions will have more and more problems to fulfill future requirements the modern workplace and application landscape will demand. The introduction of an Internet Directory or Directory as a Service offering will help getting the best out of the modern workplace and enables the seamless integration with Internet based SaaS applications.