My company develops and sells a SaaS application that has hundreds of customers. Some of our customers have asked us to support LDAP integration for authenticating user accounts against their existing systems instead of having to create another login account for each of their employees. Seems like this is referred to as Single Sign On (SSO) in many places? Naturally our system already has a mechanism for maintaining user account profiles and authenticating those user accounts from our login page.
We're a bit ignorant about LDAP and are confused about a few things. Please excuse the possible use of wrong terminology (remember, we're a little ignorant about this).
We think we understand the basics of how this might work:
Assuming the above information is even semi-correct, we'll still need each user to have an account in our system. Won't we need some way to synchronize our user account profiles with the user profiles in the LDAP directory? Is this simply an "external ID" that references the user's ID in the LDAP system? Would it then be required that the customer's "remote authentication" script must provide that ID to our system so we know which user account in our system to associate the login with?
What are we missing?
BTW, our platform is IIS, ASP.Net 2.0, and SQL Server 2005.
There are several options. If you really mean LDAP, as opposed to just Active Directory, I would probably look at using System.DirectoryServices.Protocols to perform an LDAP bind using the supplied credentials via a secure channel.
Strictly, this isn't Single Sign-On. SSO means only having to submit your creds once when you first log on. This is simply reducing complexity for the users by only having a single ID. Usually, for Windows clients in an enterprise environment with a mixture of platforms and technologies, SSO is achieved by a client added to the desktop which manages authentication to various systems. In an MS-only environment, you might achieve SSO if all of your web apps are on IIS, you use IE and use Integrated Windows Authentication, impersonation and all of that stuff.
You could consider auto-enrolling an authenticated user into your system, unless you require profile-type data to be preconfigured. If you do require pre-configuration of users, you could consider regularly importing (all, or a filtered subset of) users from the LDAP directory and having them in a not-configured state, such that the admins select from an existing list of not-configured users rather than typing in IDs. Otherwise, you risk your admins typing in the wrong user ID and having mismatches.
You could provide an API such that Identity and Access Management solutions (given your Microsoft slant, see ILM2 007 as one example) can integrate with your system and do all of the user account management for you.