By Zach DeMeyer Posted April 3, 2019
What is the difference between LDAP and SAML SSO (single sign-on)? Don’t both LDAP and SAML authenticate users to applications? While both LDAP and SAML are authentication protocols and are often used for applications, the two are leveraged for very different use cases. In reality, though, organizations don’t often need to choose between using LDAP or SAML, but rather evaluate the most optimal way to leverage both protocols within their IT environment.
A Brief History Lesson
Before we dive into the differences between the two authentication protocols, it’s best to first understand what each are and how they’ve evolved to where they are now.
LDAP (Lightweight Directory Access Protocol) was created in the early 1990s and quickly became one of the foundational authentication protocols used by IT networks. LDAP servers—such as OpenLDAP™ and 389 Directory—are often used as an identity source of truth, also known as an identity provider (IdP) or directory service. This ability, paired with system management abilities from the Kerberos protocol, created the backbone for the traditional directory service choice, Microsoft® Active Directory®.
Traditionally, IT organizations have been forced to stand up their own LDAP infrastructure on-prem, along with the ancillary services required to keep the LDAP platform secure and operational. As a lightweight protocol, LDAP runs efficiently on systems, and gives IT organizations a great deal of control over authentication and authorization. Implementing it, however, is an arduous technical process, creating significant work upfront for IT admins.
The main use of LDAP today is to authenticate users stored in the IdP to on-prem applications or other Linux® server processes. LDAP-based applications include OpenVPN, Jenkins, Kubernetes, Docker, and many others.
SAML, on the other hand, was created in the early 2000s with the exclusive purpose of federating identities to web applications. The protocol was instantiated on the fact that there would be an identity provider already existing within an organization. The SAML protocol didn’t seek to replace the IdP, but rather use it to assert the validity of a user’s identity.
That assertion would be leveraged by a service provider—or web application—via a secure XML exchange. The result was that an on-prem identity, traditionally stored by LDAP in Active Directory (AD), could be extended to web applications. Vendors used SAML to create software that could extend one user identity from AD to a host of web applications, creating the first generation of Identity-as-a-Service (IDaaS)—single sign-on (SSO) solutions. Examples of applications that support SAML authentication include Salesforce®, Slack, Trello, and thousands of others.
The Difference Between LDAP and SAML SSO
When it comes to their areas of influence, LDAP and SAML SSO are as different as they come. LDAP, of course, is mostly focused towards facilitating on-prem authentication and other server processes. SAML extends user credentials to the cloud and other web applications.
While the differences are fairly significant, at their core, LDAP and SAML SSO are of the same ilk. They are effectively serving the same function—to help users connect to their IT resources. Because of this, they are often used in cooperation by IT organizations and have become staples of the identity management industry.
The Costs of LDAP and SAML SSO
Although they are effective, common methods of LDAP and SAML SSO implementations can be costly to an enterprise’s time and budget. LDAP, as previously mentioned, is notoriously technical to instantiate and requires keen management to properly configure. SAML SSO is often cloud-hosted, but pricing models of these IDaaS solutions can be steep.
Thankfully, a new generation of identity provider is supporting these different protocols inside of one centralized cloud solution. Rather than face the daunting task of managing a wide range of authentication platforms and protocols, tens of thousands of IT organizations use JumpCloud® Directory-as-a-Service® to accomplish complete identity management from one pane of glass.
LDAP, SAML SSO, and More with DaaS
By hosting LDAP, SAML, and more from the cloud, Directory-as-a-Service (DaaS) securely authenticates user identities to virtually any system (Windows, Mac®, Linux), application (on-prem or cloud), network, and more using a single set of credentials. That means less passwords to remember, less time spent signing in, and more freedom of choice for employees.
Beyond LDAP and SAML, organizations can leverage group policy object (GPO)-like Policies to enforce security measures such as full disk encryption (FDE), multi-factor authentication (MFA), and password complexity requirements over user groups and Mac, Windows, and Linux systems. Admins can also use JumpCloud’s RADIUS-as-a-Service to tighten up network security with VLAN tagging and more.
The Cost of DaaS
The entire JumpCloud Directory-as-a-Service platform is available for free forever for the first ten users in your organization. Beyond that, the DaaS pricing model scales as you do, with bulk discounts for larger organizations, education organizations, non-profits, and managed service providers (MSPs). We also offer a per protocol option (LDAP, SAML, or RADIUS) at a reduced rate.
If you would like to see DaaS in action before you buy, try it for free today, for ten users forever. You can also schedule a live demo of the product, or watch a recorded one on our YouTube channel. If you have any additional questions, feel free to give us a call or send a note.