Is LDAP suitable for external users?

1
votes

LDAP often times used to provision enterprise users. It acts as a centralized user store. Easy to integrate with SaaS with SCIM API.

But is it a good idea to use LDAP for external users if we want to implement single data store for authentication for the purposes of Single Sign On and Easy user provision in multiple websites but offered by the same organization.

All the descriptions about LDAP and SCIM suggest use cases for SaaS integration to internal user database or multiple intranet applications.

If not, what would be the standards based way to do that? What will be the challenges?

2
ldapsingle-sign-onsamlscim

2 Answers

2
votes

LDAP is a good candidate for storing Identity Information for any type of user or device. Faster than most a Relational Database and modern LDAP Server Implementations can scale to very large capacities.

For Single-Sign-on purposes, LDAP offer no help. SAML or OpenID Connect would be the "Current Best Practices" for SSO.

SCIM 2.0 would be excellent use to be perform CRUD operations against LDAP as a Identity Information store.

Challenges from a generic request, is beyond the scope of stackoverflow.

One of the great things about OpenID Connect is it abstracts the authentication and then SCIM then also abstracts the CRUD operations so the back-end does not matter.

Asking specific questions will obtain best results.

1
votes

As a consultant I have been seeing more and more large enterprises start initiatives using an industry buzzword known as Customer Identity and Access MAnagement (CIAM). One of the elements for these large organizations is the management of external users (or identities if you prefer). Those organizations are using LDAP based user directories to store identity information. These architectures do utilize SCIM, SAML, and OIDC standards for user provisioning and federation respectively. In our consulting we have seen many different LDAP servers for this purpose including Active Directory, AD-LDS, OpenLDAP, CA-LDAP, PingDirectory, etc. The key to the choice of the LDAP is the scale and performance parameters, so when making choices for the technology be sure to ask about repository size and compression, indexing speed and technical implementation, underlying data management, and data synchronization.

As for the shameless plug above, I am familiar with PingDirectory (formerly known as UnboundID), which a great product for scale and performance as there are features built into it that allow it to scale well. In fact it has roots in the telco industry where there are implementations in the tens of millions of customer users. As part of your analysis to determine which technology works best for your use cases, I would take a look at that product.