In the single sign-on (SSO) field, the most common protocols are SAML and LDAP. Both protocols are used for business application authentication, but there are obvious differences in use cases. Nevertheless, for enterprises to deploy single sign-on (SSO), it is best to make full use of the combination of both protocols to support access to more types of IT resources without increasing IT expenditure, which ultimately also helps achieve business goals.
1. Starting Point of LDAP Single Sign-On and SAML Single Sign-On
Before delving into a comparison of these two authentication protocols, let's first review the development process of the two protocols. LDAP (Lightweight Directory Access Protocol) was jointly created by Tim Howes of the University of Michigan and his colleagues as an open standard in the early 1990s and has been widely used ever since, demonstrating the flexibility and powerful functionality of LDAP.
SAML (Security Assertion Markup Language) was developed at the beginning of the 21st century and is an assertion-based authentication protocol that can associate identities with web applications. The verification process of SAML first verifies the authenticity and validity of the identity through integration with the identity provider (IdP).
After the server-side services such as web applications complete the authentication based on the XML protocol, they will allow users to access. Technically, the IdP is responsible for relaying the SAML attribute assertions, and the entire process takes place on the internet and is very secure. No longer relying on traditional domains. It is noteworthy that the account credentials in this process are not stored on a single service provider (SP), and when users have multiple different credentials, it may lead to data leakage and increase management costs.
2. Similarity and Difference
The essence of LDAP single sign-on and SAML single sign-on is the same, both are to help users connect to the required IT resources. It is precisely because of this that these two protocols are often used together and have become the main products in the identity management industry. Especially with the sharp increase in the frequency of use of web applications, in addition to adopting core directory services, enterprises will also use single sign-on solutions for web applications based on the SAML protocol.
Nevertheless, the single sign-on implementations of LDAP and SAML protocols have significant differences in scope. LDAP focuses on promoting local authentication and other server processes, while SAML is more about extending user credentials to cloud applications and other web applications.
There is also an easily overlooked difference between SAML and LDAP in terms of concepts: most common LDAP servers are authoritative IdP or identity sources. In SAML, the SAML service is not an identity source but often acts as an agent for directory services, converting the identity verification process into workflows based on SAML.
In terms of use cases, LDAP can be well integrated with Linux-based applications, such as Jenkins. LDAP servers are usually used as identity sources, also known as Identity Providers (IdP) or Microsoft Active Directory, as well as cloud directory services that can run across systems.
The efficient operation of LDAP on the system allows enterprises to manage identity verification and authorization to a large extent. However, the deployment of LDAP is relatively complex in terms of technical processes, requiring administrators to complete a large amount of preparatory work in advance, including tasks such as high availability, performance monitoring, and security.
Compared to this, SAML is usually used for identity verification and authorization between enterprise directories and web applications. After many years of development, SAML has also added expandability features, providing users with access to web applications. Solutions based on SAML have always been used in conjunction with core directory services. Vendors use SAML to develop software, allowing user identity to be extended to a large number of web applications, thus giving rise to the first generation of IDaaS, which is recognized by the market for its broad SSO support for SaaS applications such as Salesforce, SalesEasy, WorkLife, ServiceNow, etc. With the development of enterprise mobile social identity, IDaaS is also required to bridge local AD and enterprise social identity.
3. '1+1>2'
Since both LDAP and SAML protocols can be used for user identity verification for different types of IT resources, the issue does not lie in which protocol to adopt, but rather how to implement a complete single sign-on experience, such as how to connect users to any required resources with just one identity?
NingDun cloud directory service allows enterprises to no longer need to set up and maintain local AD accounts, while also integrating core IdP capabilities. By utilizing flexible and powerful identity verification protocols, it achieves single sign-on (SSO). In addition to SAML and LDAP, NingDun single sign-on SSO system also supports international standard protocols such as OIDC, OAUTH2.0, and self-developed EasySSO protocol, which can quickly connect to both self-developed and purchased old and new applications. When the system verifies the user's identity, it can also enable multi-factor authentication (MFA) to ensure the security and trustworthiness of the user account, thereby enhancing the security of application access.
评论已关闭