LDAP (Lightweight Directory Access Protocol) likely isn’t the first protocol that comes to mind when you think about single sign-on (SSO). Your mind might jump to the wealth of SaaS applications that authenticate via SAML (Security Assertion Markup Language) instead.
However, there are ways IT admins can require end users to use their core credentials to access their on-prem and cloud LDAP-authenticated apps — just as they do to access their SSO portals for SaaS apps. This is useful whether organizations maintain their LDAP apps on-prem or “lift and shift” them to cloud providers like AWS®.
Although the configuration will not result in the SSO portal users might be familiar with, they can then use their same core credentials to access their entire suite of apps.
To implement LDAP in your enterprise, you can either maintain your on-prem server infrastructure or spin-up a virtual LDAP server with an Infrastructure-as-a-Service provider. With on-prem, you’ll want to keep in mind the associated hardware, security/availability, and maintenance costs. With a virtual LDAP server, you’ll avoid the hardware costs but still have to configure, maintain, and monitor the server yourself.
Another option is to seek a managed LDAP provider, which can provide you with the same capabilities but reduce the monetary and time costs.
Regardless of which route you take, you’ll want to make sure the authentication uses secure LDAP (over SSL/TLS) to avoid clear text LDAP in your environment.
It’s also important to note that if you’re using Microsoft® Active Directory® (AD) as your source of truth, you need to manually harden your LDAP binding until the company releases a software update in the coming months of 2020.
Implementing SSO for LDAP Apps
The most comprehensive and straightforward solution is to opt for a cloud directory service that offers both LDAP and SAML capabilities.
That way, you can use the directory service as the source of truth for identities in all apps, regardless of protocol. Then, you can provide or revoke access to users by group, role, and other attributes. You may do this for proprietary apps or popular LDAP apps like Jenkins or the Atlassian suite, as well as a wide range of web apps.
Although users won’t access LDAP apps through a portal the way they access SAML apps, they will still use their core credentials for both. This is both easier and more secure for users because they only have to remember one password, and admins can implement password complexity requirements to make sure it’s not an easy-to-guess phrase.
It improves user management for admins, too, because they only have to manage one identity store — rather than mini “directories” in each app — and they can attach users to groups in the central directory that have the apps connected and provision users automatically.
Benefits of Cloud LDAP
Beyond the benefits that managed LDAP provides in the application space, it can also enable authentication for other LDAP-based services like Samba file servers and NAS appliances.
It’s useful in authenticating users to server Infrastructure, file servers, and select networking equipment. Although its use in the enterprise isn’t as widespread as it used to be, LDAP is still an important component of a comprehensive identity and access management (IAM) strategy.
Learn more about the benefits of leveraging cloud LDAP here.