The Cloud Identity Summit was a free event that focused on the exchange between the participants. The group of participants was very international and came from different areas and industries. The very interesting questions resulted in many discussions that were. Cloud Identity is an Identity as a Service (IDaaS) and enterprise mobility management (EMM) product. It offers the identity services and endpoint administration that are available in Google.
-->The first step in designing a hybrid identity solution is to determine the requirements for the business organization that will be leveraging this solution. Hybrid identity starts as a supporting role (it supports all other cloud solutions by providing authentication) and goes on to provide new and interesting capabilities that unlock new workloads for users. These workloads or services that you wish to adopt for your users will dictate the requirements for the hybrid identity design. These services and workloads need to leverage hybrid identity both on-premises and in the cloud.
You need to go over these key aspects of the business to understand what it is a requirement now and what the company plans for the future. If you don’t have the visibility of the long term strategy for hybrid identity design, chances are that your solution will not be scalable as the business needs grow and change. The diagram below shows an example of a hybrid identity architecture and the workloads that are being unlocked for users. This is just an example of all the new possibilities that can be unlocked and delivered with a solid hybrid identity strategy.
Some components that are part of the hybrid identity architecture
Determine business needs
Each company will have different requirements, even if these companies are part of the same industry, the real business requirements might vary. You can still leverage best practices from the industry, but ultimately it is the company’s business needs that will lead you to define the requirements for the hybrid identity design.
Make sure to answer the following questions to identify your business needs:
- Is your company looking to cut IT operational cost?
- Is your company looking to secure cloud assets (SaaS apps, infrastructure)?
- Is your company looking to modernize your IT?
- Are your users more mobile and demanding IT to create exceptions into your DMZ to allow different type of traffic to access different resources?
- Does your company have legacy apps that needed to be published to these modern users but are not easy to rewrite?
- Does your company need to accomplish all these tasks and bring it under control at the same time?
- Is your company looking to secure users’ identities and reduce risk by bringing new tools that leverage the expertise of Microsoft’s Azure security expertise on-premises?
- Is your company trying to get rid of the dreaded “external” accounts on premises and move them to the cloud where they are no longer a dormant threat inside your on-premises environment?
Analyze on-premises identity infrastructure
Now that you have an idea regarding your company business requirements, you need to evaluate your on-premises identity infrastructure. This evaluation is important for defining the technical requirements to integrate your current identity solution to the cloud identity management system. Make sure to answer the following questions:
- What authentication and authorization solution does your company use on-premises?
- Does your company currently have any on-premises synchronization services?
- Does your company use any third-party Identity Providers (IdP)?
You also need to be aware of the cloud services that your company might have. Performing an assessment to understand the current integration with SaaS, IaaS or PaaS models in your environment is very important. Make sure to answer the following questions during this assessment:
- Does your company have any integration with a cloud service provider?
- If yes, which services are being used?
- Is this integration currently in production or is it a pilot?
Note
Cloud Discovery analyzes your traffic logs against Microsoft Cloud App Security's cloud app catalog of over 16,000 cloud apps that are ranked and scored based on more than 70 risk factors, to provide you with ongoing visibility into cloud use, Shadow IT, and the risk Shadow IT poses into your organization.To get started see Set up Cloud Discovery.
Evaluate identity integration requirements
Next, you need to evaluate the identity integration requirements. This evaluation is important to define the technical requirements for how users will authenticate, how the organization’s presence will look in the cloud, how the organization will allow authorization and what the user experience is going to be. Make sure to answer the following questions:
- Will your organization be using federation, standard authentication or both?
- Is federation a requirement? Because of the following:
- Kerberos-based SSO
- Your company has an on-premises applications (either built in-house or 3rd party) that uses SAML or similar federation capabilities.
- MFA via Smart Cards. RSA SecurID, etc.
- Client access rules that address the questions below:
- Can I block all external access to Microsoft 365 based on the IP address of the client?
- Can I block all external access to Microsoft 365, except Exchange ActiveSync?
- Can I block all external access to Microsoft 365, except for browser-based apps (OWA, SPO)
- Can I block all external access to Microsoft 365 for members of designated AD groups
- Security/auditing concerns
- Already existing investment in federated authentication
- What name will our organization use for our domain in the cloud?
- Does the organization have a custom domain?
- Is that domain public and easily verifiable via DNS?
- If it is not, then do you have a public domain that can be used to register an alternate UPN in AD?
- Are the user identifiers consistent for cloud representation?
- Does the organization have apps that require integration with cloud services?
- Does the organization have multiple domains and will they all use standard or federated authentication?
Evaluate applications that run in your environment
Now that you have an idea regarding your on-premises and cloud infrastructure, you need to evaluate the applications that run in these environments. This evaluation is important to define the technical requirements to integrate these applications to the cloud identity management system. Make sure to answer the following questions:
- Where will our applications live?
- Will users be accessing on-premises applications? In the cloud? Or both?
- Are there plans to take the existing application workloads and move them to the cloud?
- Are there plans to develop new applications that will reside either on-premises or in the cloud that will use cloud authentication?
Evaluate user requirements
You also have to evaluate the user requirements. This evaluation is important to define the steps that will be needed for on-boarding and assisting users as they transition to the cloud. Make sure to answer the following questions:
- Will users be accessing applications on-premises?
- Will users be accessing applications in the cloud?
- How do users typically login to their on-premises environment?
- How will users sign-in to the cloud?
Note
Make sure to take notes of each answer and understand the rationale behind the answer. Determine incident response requirements will go over the options available and pros/cons of each option. By having answered those questions you will select which option best suits your business needs.
Next steps
See also
Integrating with Cloud Identity Providers, which is similar to integrating with an LDAP directory service, allows you to do the following:
Cloud Identity Account
Look up and populate user information from the secure LDAP service for inventory purposes.
Add Jamf Pro user accounts or groups from the secure LDAP service.
Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.
Require users to log in during mobile device setup using their LDAP directory accounts.
Base the scope of remote management tasks on users or groups from the secure LDAP service.
To integrate Jamf Pro with a Cloud Identity Provider you need to provide detailed information about the identity provider and upload a keystore or certificate file.
Jamf Pro allows you to integrate with Google's secure LDAP service that is a part of G Suite Enterprise and Cloud Identity Premium. The service can be used with Jamf Pro for user authentication and group syncing.
Note: Users assigned to Cloud Identity Free or G Suite Basic/Business licenses are not allowed to authenticate in Jamf Pro. When such a user tries to authenticate, the INSUFFICIENT_ACCESS_RIGHTS (50) error code is displayed in Jamf Pro logs. For information on Secure LDAP service error codes, see the following documentation from Google: https://support.google.com/a/answer/9167101
Cloud Identity
Cloud Identity Free or G Suite Basic/Business assigned users display in user lookup results and you can add them as Jamf Pro LDAP accounts.
Secure Google LDAP service requires a different configuration than standard LDAP servers. For instructions about how to add Jamf Pro as an LDAP client to the secure LDAP service, configure access permissions, and download the generated certificate, see the following documentation from Google: https://support.google.com/cloudidentity/answer/9048516
After you have added Jamf Pro as an LDAP client, you need to generate the .p12 keystore file. For more information, see the Generating the PKCS12 Keystore File When Integrating Google Cloud Identity Provider with Jamf Pro Knowledge Base article.
Log in to Jamf Pro.
In the top-right corner of the page, click Settings .
Click System Settings.
Click Cloud Identity Providers .
Click New .
Configure the settings on the pane. Consider the following limitations:
The display name for the configuration must be unique.
The Domain name value automatically populates the Search Base dc values on the User Mappings and User Groups Mapping tabs.
Use the Mappings pane to specify object class and search base data, and map attributes. When configuring the search base, structure the server query in the order that reflects the hierarchical structure of your directory tree to ensure the search returns correct results.
Click Save .
The LDAP server connection configuration is enabled by default. To disable the configuration, use the switch. Disabling the configuration prevents Jamf Pro from querying data from this secure LDAP server. This means you can add a different instance without deleting the current configuration.
You can also configure attribute mappings for your Google's secure LDAP service instance using Jamf Pro API. For more information, see the Configuring Cloud Identity Provider Attribute Mappings Using Jamf Pro API Knowledge Base article.
Saving an LDAP server connection triggers automatic verification of the hostname, port, and domain. The verification process must succeed before the connection is ready to use.
Important: In large environments, the verification process for valid configurations may fail. Ensure the values in the form are correct and try saving the configuration again.
When troubleshooting the failed Google's secure LDAP service connection, navigate to Reports in your Google Admin console, and check the LDAP audit log.
You can test the following attribute mappings:
User mappings
User group mappings
User group membership mappings
If Jamf Pro returns the appropriate information, the attributes are mapped correctly.
Log in to Jamf Pro.
In the top-right corner of the page, click Settings .
Click System Settings.
Click Cloud Identity Providers .
Click the instance name you want to test.
Click Test .
Click the appropriate tab and enter information in the fields provided.
Click Test again.
For related information, see the following sections in this guide:
Jamf Pro User Accounts and Groups
Find out how to add Jamf Pro user accounts or groups from an LDAP directory service.Jamf Self Service for macOS User Login Settings
Find out how to require users to log in to Jamf Self Service for macOS using their LDAP directory accounts.Jamf Self Service for iOS
Find out how to require users to log in to Jamf Self Service for iOS using their LDAP directory accounts.Self Service Web Clip
Find out how to require users to log in to the Self Service web clip using their LDAP directory accounts.User-Initiated Enrollment for Computers
Find out how to require users to log in to the enrollment portal using their LDAP directory accounts before enrolling their computers.User-Initiated Enrollment for Mobile Devices
Find out how to require users to log in to the enrollment portal using their LDAP directory accounts before enrolling their mobile devices.Mobile Device PreStage Enrollments
Find out how to require users to log in during mobile device setup using their LDAP directory accounts before enrolling their mobile devices using a PreStage enrollment.Scope
Learn how to configure scope based on users or groups from an LDAP directory service.