By Vince Lujan Posted May 14, 2019
With so many sub-categories in the identity and access management (IAM) space, some clarity around their respective use cases would be helpful. After all, managing modern networks can be difficult and you want to have the best tools for the job. In this blog post, let’s compare SSO versus LDAP and discuss a few use cases.
The Lightweight Directory Access Protocol, otherwise known as LDAP, is one of the oldest user authentication protocols in use today for computer systems. It was created in 1992 by a student (at the time) named Tim Howes and his colleagues at the University of Michigan.
LDAP was designed to connect users to systems throughout the university back in the early days of the Internet. Prior to that, the University of Michigan leveraged the X.500 directory access protocol (DAP) to reach a similar end.
Fast forward to modern times and LDAP has proven to be highly effective. Not only has it remained a standard for user authentication, but it also inspired the creation of OpenLDAP™ and Microsoft® Active Directory® (AD)—two powerful on-prem identity provider (IdP) platforms.
Despite being designed for on-prem networks of legacy systems, the nearly thirty-year-old protocol has even made the shift to the cloud, and can now be delivered as a service. Thus, IT organizations are able to leverage LDAP functionality, without anything on-prem.
LDAP has primarily been used to authenticate user access to legacy systems and applications. More recently, LDAP has also been used to authenticate user access to DevOps tools such as Jenkins® and Kubernetes®.
Its flexible schema makes LDAP perfect for storing a wide variety of user attributes and permissions, which is basically the core of IAM. In fact, if an organization only leverages the LDAP protocol for authentication, then a solution like OpenLDAP might be the only IAM platform required.
However, web applications do not generally leverage the LDAP protocol for authentication, which brings us to SSO.
Web application single sign-on (SSO) solutions leverage the Secure Assertion Markup Language (SAML) to securely authenticate user access to cloud-based apps. As web applications emerged in the early 2000s, they were difficult to manage directly with traditional LDAP-based infrastructure or Microsoft Active Directory.
IT admins struggled to connect their on-prem IdP (usually AD) to web applications via LDAP, Kerberos, or proprietary Microsoft APIs. As a result, developers created a new secure authentication protocol to bridge the gap between on-prem and the cloud.
SAML was the result, and it effectively created a new category of IAM solution known as Identity-as-a-Service (IDaaS) a few years later.
However, it’s interesting to note that while LDAP can play the role of a core IdP for an IT organization, SAML is often added on to existing IdPs. This is because the primary goal of SAML-based solutions is to extend traditional directory services functionality to cloud-based applications.
In practice, IT admins often layer SSO solutions on top of their on-prem AD infrastructure. As a result, IT organizations can continue to leverage LDAP-based resources on-prem with added support for web applications via SAML.
Challenges with SSO and LDAP
Traditional SSO solutions and LDAP are great at connecting users to their respective applications. However, implementing SSO and LDAP has historically been a give and take relationship for IT admins.
For one, traditional LDAP setups are on-prem implementations that can be challenging to implement and maintain. Consequently, admins have been forced to invest a lot of time and effort to support them.
Further, legacy directory services solutions that are based upon LDAP (i.e., AD and OpenLDAP) struggle with cross-platform system environments, web and disparate on-prem applications, cloud infrastructure at AWS® and GCP®, physical and virtual file storage, and remote networks. So, SSO solutions are often one of many siloed directory services extensions required in traditional AD or OpenLDAP environments.
In other words, while LDAP and SSO might solve part of the IAM puzzle in modern organizations, the bigger picture is far more complex.
SSO and LDAP Reborn
What modern IT admins need is a reimagination of traditional IAM solutions altogether. One that combines what used to be a wide array of disparate IAM categories into a single cloud-based directory service.
The goal is to provide users with a single, secure set of credentials that they can leverage to gain access to virtually any IT resource—without anything on-prem and without multiple solutions. In doing so, admins can connect users to virtually any IT resource from the cloud.
This is achievable with JumpCloud® Directory-as-a-Service®, which offers True Single Sign-On™ from the cloud.
Sign up for a JumpCloud account and check out our SSO and LDAP functionality platform first hand. We offer 10 users free forever to help get you started. If you need to dig deeper into SSO vs LDAP for your environment, contact us for additional information.
You can also browse our Knowledge Base or YouTube page for supplemental information, or request a personalized demo with a member of the JumpCloud team.