Friday, November 27, 2015

SaaS Identity and Directory Services

For SaaS providers, what are the available mechanisms for integrating with a directory service?

  1. The LDAP can be fronted by an IdP hosted in DMZ that provides authentication and authorisation mechanisms to Cloud services. The authentication/authorisation mechanisms can be via web federation protocols such as SAML/OIDC. This is show in the above figure.

  2. The LDAP (rather a replica of it) can be exposed via "ldaps" (ssl protected ldap) to the external Cloud services

  3. The LDAP itself can be synced to the Cloud services. Technologies like Azure AD Connect can be used to implement this methodology

From 1st to 3rd mechanism, the security/privacy responsibility that lies on the SaaS provider increases.

In order to the 3rd mechanism, the users must trust the SaaS provider to store data and passwords. I believe, any organization will think twice before syncing LDAP with external parties.

So one might ask, hold on, what about online enterprise identity providers? Online identity providers such as OneLogin has obtained certifications to prove that data is private and well protected.  Obtaining such certifications are very expensive, and they needs to be maintained (audits must be done periodically).

The first mechanism can be illustrated as follows.

No comments: