Introduction
In my previous article, I blogged how to provision user accounts and groups from on-premises Active Directory Forest to Google Workspace. However, I realised it is worth discussing the Password Sync feature in a separate article. I have decided to write a blog post again today related to this topic. It is really important to consider and deploy this feature to allow users accessing Google applications with single password because Google Cloud Directory Sync doesnโt sync passwords with Cloud Identity.
With this approach, users can experience the ultimate convenience of accessing both on-premises and Google Workspace applications using just one set of credentials
What is Google Password Sync?
Password management can be a hassle for users who must remember multiple passwords for different accounts. Google Password Sync is a solution that automatically synchronises Google Workspace and Cloud Identity passwords with Microsoft Active Directory passwords. Whenever users change their Active Directory password, Google Password Sync immediately pushes the new password to their managed Google Account, ensuring password consistency across platforms.
It’s important to note that Google Password Sync never changes Active Directory passwords. Its sole purpose is to sync Active Directory password changes with your organisation’s Google Account, making password management hassle-free for the users.
Implementation Steps
Please find the steps given below to install the Google Password Sync feature.
- Sync users from on-premises AD with Google Workspace
- Download & install Password Sync software
- Configure Google Password Sync
- Configure user authentication method
- End-user experience
Sync users
First, we need to provision users from AD to Google Workspace. You can follow the steps by clicking the link to my article.
Install Password Sync
Download the Google Password Sync software from the provided link. There are two versions available. In this scenario, I used 64-bit software. Installation steps are simple. You can refer to the below screenshots to understand more.
Configure Google Password Sync
To configure Google Password Sync, you need a Google Admin account and an AD domain account. All user accounts should have an email address attribute to identify Google users. Please install password Sync on all writable domain controllers.
Login to the domain controller where you installed Google Password Sync, then click Password Sync and refer the following screenshots to finish the setup.
Configure user authentication method
Finally, you must create a Single Sign-On profile to allow FRONTLINEWORKERS to sign in directly with Google. This will enable them to use Google authentication. You can allow users to redirect to 3rd party IDP services or Active Directory Federation Service in combination with SAML federation. However, we are not covering federation in this article as we use the Google Authentication method.
To do that, sign in to Google Admin Console, navigate to Security-> Single sign-on (SSO) with third-party identity providers (IDPs)
Search for the โFront Line Usersโ group (at the left) and select โNoneโ on the SSO profile assignment (at the right). Keep in mind that these settings will override the organisation’s SSO profile. Also, it is not possible to enable SSO for a single user. If you want, you can create multiple SSO profiles for different Organisation Units or Groups. In our scenario, we are enabling SSO for FRONTLINE WORKERS.
End-user experience
To assess the user experience, we can test by accessing Google Drive. This test involves changing the password of a user account in On-premises AD and attempting to access Google Drive using the same password after a few seconds. This will help us evaluate the system’s response to password changes, a critical aspect of user security.
I have created a short video clip to make you understand better.
I want to thank you for taking the time to read this article. Your attention means a lot to me!
Recent Comments