What is the difference between Single Sign-On (SSO) and Directory-as-a-Service® (DaaS)?

Written by Greg Keller on September 29, 2014

Share This Article

There’s a lot of confusion in the identity management and directory services space these days. In fact, it’s not even clear any more what the space is called. There’s IAM, Identity-as-a-Service, SSO, Directory-as-a-Service®, and much more. With so many different companies and approaches to solving the problem, how do you parse through all of the solutions? We wanted to put together a little primer on how Single Sign-On (SSO) and Directory-as-a-Service (DaaS) are different. Let’s start with some basics.

Generally, the entire space that involves users being granted access to infrastructure in the enterprise has been labeled “identity and access management” or “IAM” by Gartner and others. Although, that has generally excluded one core area: directories. Why has the area of directories been ignored by the analysts and associated community? Historically, it has been a duopoly with Microsoft Active Directory and the open source LDAP. And there’s been little, if any, innovation in that area in years.

One of the hottest spaces in the IT landscape over the last several years has been the SSO space. VCs have poured money into this sector since the early 2000s. As enterprises have become more comfortable with web-based applications, the question has become, “How can I let my employees log into their device or to our network once and as a result, they gain access to the cloud-based applications that they need?” SSO providers have done a great job of making the process of user management seamless. They bridge your identity from your on-premise Active Directory or LDAP to their software or cloud-based solution. From there, the SSO vendors have built connectors to ensure that your identity will work with thousands of popular cloud-based applications. Some examples are Salesforce, Box, and Dropbox, among others.

From a user perspective, it’s all transparent to them. They log in once and are able to access everything they need. From an IT perspective, you have one user identity being distributed to the enterprise applications that your end-users need. Changes to the directory of record are propagated through to the SSO solution. That makes it simple to control access to web-based resources.

As mentioned earlier, the directory service has been a sleepy part of identity and access management. Generally, it’s not even really considered part of the space! And it has not garnered any attention over the last several years. With the shift to cloud infrastructure, non-Windows devices, and Google Apps, the idea that the directory, either AD or LDAP, needs to be on-premise is being challenged. Historically, the directory has been the user store of record. All of your users are in the directory service and the directory will have APIs to allow other solutions to authenticate and authorize against it. In fact, the SSO vendors use these APIs to build on top of the directory service.

Directories have not kept up with the changes in the IT landscape. For admins in the directory space, that’s a challenge. Directories like Active Directory have two main functions: be the database of record for users and their access to IT resources and device management (e.g. controlling Windows settings, configurations, etc.). With cloud-based infrastructure and a shift to Macs and Linux, AD and LDAP have struggled to keep pace. Admins need to spend more time and effort to manage cloud servers, for example, or to manage Macs. When organizations are moving more of their infrastructure to cloud-based services, such as Google Apps or Office 365, the on-premise solutions AD and LDAP are not easily extended to the cloud.

Fundamentally, SSO solutions look to help an organization’s employees use their one username and password to log into all of their web-based applications. A directory is the store for that one username, password, or SSH key. SSO solutions are built on top of a directory like AD or LDAP.

So where does JumpCloud® come into play? JumpCloud is a cloud-based directory that handles authentication, authorization, and management of users and their devices whether on-prem or in the cloud. Our goal is to provide a hosted LDAP out in the cloud or even replace AD. We are also a cloud-based extension to AD, LDAP, or Google Apps for authentication and authorization to cloud-based infrastructure like your cloud servers. JumpCloud also seamlessly integrates with Office 365. We believe that a directory needs to be able to manage devices too. So we have the capability to managing your Windows, Mac, or Linux devices as well. JumpCloud also supports popular applications to create web-based SSO, but it also integrates with popular SSO solutions. For example, SSO providers could easily connect to JumpCloud and leverage our directory similar to how they leverage AD or LDAP.

Learn More About The Difference Between SSO and DaaS

The identity and access management space can be complicated. At JumpCloud, we’re focusing on reinventing the directory service and the way it’s implemented and understood.  Moreover, we are playing a role in making IAM solutions better by simplifying the management of centralized users and integrating with a growing set of solutions that need to access an always-available source of truth about a user. We’d be a great fit for you if you are interested in hosted LDAP, RADIUS-as-a-Service, extending your AD/LDAP/GApps/O365 identities to a cloud-based infrastructure, or managing your Mac or Linux devices, give us a call. Drop us a line if you want your employees to be able to single sign-on to web-based applications. There are many great SSO vendors out there for you. We’d be happy to connect you with them!

Continue Learning with our Newsletter