Single Sign-On: The Difference Between ADFS vs. LDAP
Flown anywhere lately? When you hand over your boarding pass and ID, the airline checks your name and passport number against their database so they know you’re authorized to board the plane. Now, imagine for a minute that they couldn’t access a complete directory of the passengers who bought tickets. Without that data, checking personal details would be useless, because they would have nothing to compare to. The system simply wouldn’t work.
The same thing goes for Single Sign-On (SSO). If you can’t access complete user data stored in a secure, organized way, you can’t compare that data to what a user is submitting for authentication, and you can’t verify their identity and grant access. A solid directory service is a critical prerequisite for SSO. There are two main access protocols you may be aware of: Active Directory Federation Services (ADFS) and Lightweight Directory Access Protocol (LDAP). Let’s take a closer look at how they work, and the differences between the two.
Active Directory Federation Services (ADFS)
Microsoft developed ADFS to extend enterprise identity beyond the firewall. It provides single sign-on access to servers that are off-premises. ADFS uses a claims-based access-control authorization model. This process involves authenticating users via cookies and Security Assertion Markup Language (SAML).
That means ADFS is a type of Security Token Service, or STS. You can configure STS to have trust relationships that also accept OpenID accounts. This lets companies bypass setting up separate registration and user credentials when adding new users—they can just use the existing OpenID credentials.
ADFS is a valuable tool, but it does have a few drawbacks:
- It’s cumbersome to use when integrating with cloud or non-Microsoft mobile applications
- It requires IT resources to install, configure, and maintain
- It’s difficult to scale and requires tedious application installations
Although it’s technically a free offering from Microsoft, using ADFS can pose hidden costly under-the-hood issues, like the IT costs to maintain it.
LDAP is a lightweight subset of the X.500 Directory Access Protocol, and has been around since the early 1990s. It was developed by the University of Michigan as a software protocol to authenticate users on an AD network, and it enables anyone to locate resources on the Internet or on a corporate intranet. LDAP single sign-on also lets system admins set permissions to control access the LDAP database. That way, you can be certain that data stays private.
Whereas ADFS is focused on Windows environments, LDAP is more flexible. It can accommodate other types of computing including Linux/Unix.
LDAP is ideal for situations where you need to access data frequently but only add or modify it now and then. That means it works especially well with passwords: it can deal with password expiration, password quality validation, and account lockout after a user has too many failed attempts. An LDAP agent can authenticate users in real-time—it compares the data presented to what’s stored in the LDAP database instantly, so no sensitive user data needs to be stored in the cloud.
These are just a few of the reasons why LDAP is our preference. Okta's LDAP Single Sign-On solution makes it easier to handle authentication for your users, providing efficient and secure authentication linked to the policies and user status in Active Directory.