Achieve Perfect Single Sign-On Between Google and MS AD

Google Credentials Provider for Windows(GCPW) +Google Cloud Directory Sync(GCDS)

Google Credential Provider for Windows is a single-sign on (SSO) solution allowing corporate admins to manage access security, push Windows settings, and if needed, wipe device data remotely. GCPW is compatible with all Windows 10 devices, and can be configured so that users’ Google accounts sync with their Active Directory or local Windows profiles. With this new authentication approach, Google offers its Google Work Space customers to detach from the Active Directory and keep the same authentication experience already known, but this time with Google Workspace tools.

For Google Workspace and every company administrator, ensuring security and ease of access for users is paramount. This is the case regardless of whether devices used are company-owned or personal, and the operating system (OS) of the devices. When it comes to enhancing security for Microsoft devices, we at PawaIT Solutions Ltd recommend setting up Google Credential Provider for Windows (GCPW).

Google Credential Provider for Windows (GCPW) lets users sign in to Windows devices with the Google Account that they use for work. GCPW provides users with a Single Sign-On experience to Google services and all the security features available with their Google Account. The ability for admins to deploy and manage Google Credential Provider for Windows (GCPW), which makes using Windows 10 devices with Workspace easier and more secure, right from the admin console.

Associating your GWS profile and AD(Active Directory) profiles allows you to login to your existing profile AD without creating a new profile upon login. GCPW associates a user’s Google Account with an existing local(workgroup) or AD Windows profile based on a custom attribute you add in Google Workspace admin Directory. The custom attribute specifies the user’s username for their local workgroup or AD Windows profile.

The profiles can be merged /associated so log in using either Windows AD or Google Workspace takes the user to the same profile. 2 Step Verification is Supported even OFFLINE On Google. Double Security. You can then manage some policies on your Google Workspace users if they use chrome profiles. This means when a user signs in on their divide using this SSO method, they are auto signed into their profile on chrome. So no double sign-in is necessary. This SSO is possible on all Google Workspace Plans.

Google Cloud Directory Sync(GCDS)

Google Cloud Directory Sync allows you to synchronize your data in your Google Account with your Microsoft Active Directory or LDAP(Lightweight Directory Access Protocol) Server. GCDS does not migrate any content (such as email messages, calendar events or files) to your Google Account.

Benefits of Using GCDS

• Runs as a utility in your server environment- Includes all necessary components in the installation package. Includes a number of features to make your data more secure. There is no access to your LDAP server data outside your perimeter
• Syncs users, aliases, groups and other data with your Google Account- Ensures your Google data matches that of your Active Directory or LDAP server. Performs a one-way synchronization. Data on your LDAP server is never updated or altered
• Configure rules for custom mapping- Allows you to configure rules for custom mapping of users, groups, nonemployee contacts, user profiles, aliases, calendar resources, and exceptions.
• Use default settings to make setup easier- using GCDS with an Active Directory server or OpenLDAP, you can easily set up your configuration using the default values in Configuration Manager.
• Step by step user interface- Guides you through creating and running a synchronization. Includes a simulation stage to make sure your setup is tested.
• Uses rules and exclusions so you can omit data from a sync-Set up exclusion rules to omit data such as users, profiles, groups, organizational units, or calendar resources from a sync

Why Would you use or implement GCPW? GCPW is an aspect of Enhanced desktop security for Windows that makes using Windows 10 devices with Google Workspace easier and more secure. Once set up, users can:

• Sign in to a Microsoft Windows 10 device using their Google Workspace Account.
• Take advantage of security protections on Windows 10 devices, including 2-step verification (2SV) and login challenges.
• Access Google Workspace and other single sign-on (SSO) apps without the need to re-enter their credentials.

With GCPW, you can configure and manage GCPW in the Google Workspace instead of each device’s registry settings. This makes setting up and updating GCPW deployments less manual and time consuming for if you don’t have standard software deployment tools.

When working with GCPW here are a few pointer to put to check:

1. Decide on a Password Management strategy-When you install GCPW on a Windows 10 device, the user signs in with their Google Account password. GCPW then automatically signs in the user to their Windows profile and Chrome Browser. For this automatic sign-in to work, the Google Account password and Windows password must stay in sync
2. You can keep passwords in sync in two ways: use Google (recommended) or use a synchronization tool to push password updates from Active Directory, Azure Active Directory (AD), or other third-party tools to Google.
3. With either approach, users manage only the Google password. They can’t reset their password from the Ctrl+Alt+Delete screen on their device because GCPW blocks that feature.
4. If some users aren’t allowed to manage their own password, such as students, you must reset and update the user’s password in the Admin Console.
5. Google Admin console for password management-Recommended when associating local Windows profiles with Google Accounts
6. Active Directory, Azure AD, or third-party tools for password management-Recommended when associating AD-backed Windows profiles with Google Accounts
7. Make Password complexity levels compatible-If the Google password requirements are weaker, a user can change their password to one that doesn’t meet the Windows password requirements. They won’t be able to access their Windows account until they change their Google password again to meet the Windows password requirements.
8. Decide how to manage GCPW settings-When you set up GCPW, users can’t sign in through GCPW until you set which domains are allowed to sign in. You can also turn off automatic enrollment in Windows device management, manage automatic updates, and require online sign-in after a set time. You can manage these settings in the Admin console or in the registry settings on each device.
9. Associate users Google Accounts with existing Windows profiles- If the Windows device already has a Windows profile set up for a user’s work account, you can set up GCPW to associate the existing profile with their Google Account.
10. If you don’t associate the Windows profile with the Google Account, GCPW makes a new Windows profile for the Google sign in. Users with local profiles can still sign in to the other profile, but AD users won’t be able to access the other profile.

GCPW is available for your endpoint machine specifications below:

• 32-bit and 64-bit Editions
• Windows operating system Options: Windows 10 Pro, Pro for Workstations, Enterprise, or Education, version 1803 or later
• Chrome Browser version 81 or later
• GCPW (standalone) — Supported editions for this feature: Frontline; Business Starter, Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Basic and Business; Essentials; Cloud Identity Free and Premium.
• Windows device management (standalone or with GCPW) — Supported editions for this feature: Frontline; Business Plus; Enterprise; Education Standard and Plus; Cloud Identity Premium.