Supporting Single Sign-On with Active Directory

We have a SaaS app written on .NET and we need to offer various methods of SSO to our customers.

A while ago we standardized on OpenID, hoping that this would become a universal standard and liberate us from having to support different standards. Unfortunately, enterprises never quite got on board with OpenID and we are always asked to support Active Directory. (Our app just needs basic authentication, not fine-grained authorization to use different objects/permissions/etc.)

We're hoping to avo开发者_JAVA百科id a lot of extra development -- if we want to offer easy integration to the greatest number of Windows A.D. users, which should we support -- LDAP or SAML? And if SAML, 1.x or 2.x?

Huge difference between LDAP and SAML support for SSO. I would imagine almost every enterprise customer you have will not like you opening up a firewall port directly to their AD/LDAP store containing all their user data. More likely they will have some kind of SAML-based solution in place that provides a MUCH more secure SSO solution. Companies are also starting to push back on employees entering corporate user creds into login forms not hosted by the company (helps reduce phishing).

Since you are already a SaaS, why not use a service that gives your application SAML support so you don't have to? Check out PingConnect for SaaS Providers. [Note: I work for Ping] Nothing to install, just some minor code changes to the auth logic in your application. If you really want an on-premise SAML solution, there are 150+ SaaS Providers using our PingFederate software to provide SAML 1.0/1.1/2.0/WS-Fed protocol support to their customers.

HTH - Ian

You can enable SSO for a user base in Active Directory with SAML2, OpenID or with Passive STS support. It is important to have multiple protocol support, since different applications capable of supporting different protocols. For example, Google Apps, Salesforce support SAML2, while LifeRay, Drupal support OpenID..

Disclaimer : I am an architect from WSO2

The open source WSO2 Identity Server can be deployed over an active directory [just a configuration] and it will automatically give all the users in AD an OpenID.

Further the Identity Server can be used as an SAML2 IdP, OpenID provider or as a PassiveSTS IdP.

Specially when providing SSO for SharePoint users - you may need to use PassiveSTS.

You can see the cloud deployment of WSO2 Identity Server from here..

If your concern is from a service provider end, then it would be ideal to have SAML2 as well as OpenID support...

If you want to adress quickly and directly Active-Directory LDAP is the shortest way.

But for me LDAP and SAML are covering different scope.

In one hand, LDAP is an open protocol that allow you a direct access to an authtification server. You stay independant to the LDAP directory.

In the other hand, I think that if the users of your service are able to be authenticated in their companies SAML allow you to make a trust relationship with these companies and to avoid managing user/password. For your client that deploy Active-Directory lets have a look to Active Directory Federation Services.