Welcome back to our journey into the world of Univention apps! In this blog series, we regularly present exciting applications from our App Center. In our second episoide, we’re diving into IAM integration with two key connectors: the Microsoft 365 Connector and the Google Workspace Connector. These apps build bridges and facilitate exchange between your UCS environment and these essential cloud office solutions.
Table of Contents
Office in a Browser: Balancing Necessity with Compromise
Microsoft 365 and Google Workspace have become the go-to platforms for businesses of all sizes. These cloud-based office solutions are notably practical, offering easy browser access from various devices, an extensive array of collaboration tools, and scalable options—a key benefit for expanding companies. Despite their convenience and ability to cover essential business requirements, these cloud services are not without their flaws, often considered a “necessary evil”.
The platforms bind companies to their respective ecosystems, creating dependencies. This connection to a single provider limits choices and raises significant concerns regarding security and data protection, issues that often trouble decision-makers and users alike. Neither Microsoft 365 nor Google Workspace is immune to security vulnerabilities, and the centralized cloud storage of sensitive corporate data continuously presents a risk.
For those who can’t or prefer not to eliminate cloud services from their operations, finding a way to mitigate security risks without compromising efficiency and functionality is crucial. This is where effective Identity and Access Management (IAM) comes into play. Univention Corporate Server offers a range of robust and powerful IAM functions along with corresponding connectors that make it easy and secure for users to access the cloud office—introducing our two apps: the Microsoft 365 Connector and the Google Workspace Connector.
Microsoft 365 Connector
This app serves as a vital link between your UCS domain and the Microsoft 365 platform. It efficiently synchronizes user accounts and groups from the UCS directory service to Microsoft Entra ID, previously known as Azure Active Directory, Microsoft’s identity and access management service. Our connector ensures a smooth transition for all users, enabling them to log into MS 365 using their UCS credentials through Single Sign-on (SSO). It’s an optimal solution for companies and organizations that leverage Univention Corporate Server for IAM while also wanting to tap into the capabilities of the Microsoft cloud.
Here is an overview of the features:
- Synchronization: This feature enables administrators to seamlessly add, update, or remove selected UCS users from the Microsoft 365 Azure account; simplified user management as little to no manual intervention is required; the user base is always up-to-date in both systems
- Single Sign-on (SSO): The SSO capability provides straightforward access to the cloud platform. Users can log in using their UCS credentials, granting direct access to all MS 365 functionalities. Importantly, the user’s password always remains within the UCS domain.
Setting up the Microsoft 365 Connector
Before you begin installing the app from our App Center, there are a few essential steps to complete. Firstly, you’ll need a Microsoft 365 administrator account and an account with Microsoft Entra (formerly Azure Active Directory). If you don’t already have these, they can be provided by the manufacturer free of charge for testing purposes. In addition, a domain verified by Microsoft is required to ensure your organization operates under a secure and recognized domain. Lastly, you will need a Microsoft 365 business subscription, which is also available as a free trial. Please note that connecting with a private Microsoft account is not an option.
Our manual describes the exact steps for configuration in the Microsoft 365 Connector chapter. Once you’re ready, proceed with installing the app. A user-friendly setup wizard is provided to guide you through all the necessary steps to get you up and running.
All other adjustments are made through the Users module of the Univention Management Console (UMC). Within this module, you’ll notice a new tab labeled Microsoft 365 for each user profile. It’s important to remember that any modifications made to user data in UCS will automatically be replicated in Microsoft Entra ID. However, the process isn’t bidirectional; changes made directly in MS Entra won’t sync back to UCS. If users or groups are deactivated or renamed there, they aren’t deleted but merely deactivated, enabling the reallocation of their licenses as needed.
Since 2021, the connector has expanded its capabilities to include support for collaboration with MS Teams. This feature allows UCS groups to be established as Teams within Microsoft 365, all managed via the UMC. During the setup process, you’ll assign a team owner who will then handle additional configurations directly in the Teams interface. Once you’ve activated a UCS group as a Team in Microsoft 365, its members are automatically added to the new team.
Google Workspace Connector
This app acts as a gateway to Google’s cloud services, ensuring user identities stay safely within your own IT infrastructure. This allows for complete control over user data. The connector is compatible with both the business edition of Google Workspace, ideal for companies with up to 300 users, and the education version, designed for educational institutions. Thanks to the single sign-on feature, user passwords are securely contained within the UCS domain, maintaining the security of sensitive access information in your environment.
Key Features Include:
- Single Sign-on (SSO): Enables users to log in using their UCS credentials, providing direct access to all Google Workspace functionalities. The user password always stays secure within the UCS domain; users do not need to create and manage their own Google account.
- Central License Management: This feature allows administrators to effortlessly monitor and manage licenses and associated costs.
Setting up the Google Workspace Connector
To set up the Google Workspace Connector for your UCS environment, begin by ensuring you have a Google administrator account. This account is needed to log in to the Google Admin Console, where you can manage Google services for all users in your organization. Note that a private Google account will not suffice for this purpose. Additionally, you’ll need a domain verified by Google. Fortunately, both can be obtained from the provider at no cost for testing purposes.
After installing the Google Workspace Connector app, a setup wizard will launch, guiding you through the initial configuration steps.
The remaining configuration steps for the Google Workspace Connector are conducted via the Users module in the Univention Management Console (UMC). For all user objects, there is now a new tab called Google Apps which allows you to designate whether an account should be provisioned to Google Workspace. Any changes made in the UCS directory service are automatically synchronized with the Google service. Similar to the Microsoft 365 Connector, this synchronization is unidirectional, meaning that modifications made in the Google domain are not automatically transferred to the UCS system. If you deactivate an account’s Google Apps feature in UCS, it will automatically be removed from the Google domain. This mechanism ensures that user information remains consistent and up-to-date across both systems.
For more information about the setup, please read the Google Apps for Work Connector chapter in our manual.
Final Thoughts: Join the Conversation in Our Community
Wrapping up, we’re left with an important question: Is identity and access management like this really the best way to go? Does the ease it brings make up for being tied to certain platforms and the security worries that might come with it? For companies and organizations that can’t let go of Microsoft or Google cloud services, our connector apps are a solid and secure choice for both users and admins. And if you’re thinking of moving away from the big cloud providers, our App Center is full of collaboration and office tools under open source licenses that fit right into the UCS environment.
What’s been your journey with Univention Corporate Server as an IAM solution? Have you tried out any of the connectors we talked about in this article? We’d love to hear about your experiences. Share your stories with us and the community.
Visit the Forum Univention Help and become a part of our community!
Image source: Icon created by Freepic from flaticon.com
