LDAP (Lightweight Directory Access Protocol) likely isn’t the first protocol that comes to mind when you think about single sign-on (SSO). Your mind might jump to the wealth of SaaS applications that authenticate via SAML (Security Assertion Markup Language) instead.
However, there are ways IT admins can require end users to use their core credentials to access their on-prem and cloud LDAP-authenticated apps — just as they do to access their SSO portals for SaaS apps. This is useful whether organizations maintain their LDAP apps on-prem or “lift and shift” them to cloud providers like AWS®.
Although the configuration will not result in the SSO portal users might be familiar with, they can then use their same core credentials to access their entire suite of apps.
To implement LDAP in your enterprise, you can either maintain your on-prem server infrastructure or spin-up a virtual LDAP server with an Infrastructure-as-a-Service provider. With on-prem, you’ll want to keep in mind the associated hardware, security/availability, and maintenance costs. With a virtual LDAP server, you’ll avoid the hardware costs but still have to configure, maintain, and monitor the server yourself.
Another option is to seek a managed LDAP provider, which can provide you with the same capabilities but reduce the monetary and time costs.
Regardless of which route you take, you’ll want to make sure the authentication uses secure LDAP (over SSL/TLS) to avoid clear text LDAP in your environment.
It’s also important to note that if you’re using Microsoft® Active Directory® (AD) as your source of truth, you need to manually harden your LDAP binding until the company releases a software update in the coming months of 2020.
Implementing SSO for LDAP Apps
The most comprehensive and straightforward solution is to opt for a cloud directory service that offers both LDAP and SAML capabilities.
That way, you can use the directory service as the source of truth for identities in all apps, regardless of protocol. Then, you can provide or revoke access to users by group, role, and other attributes. You may do this for (Read more…)