Others management protocols
With this LDAP approach everything is centralized (except authorization).
Everything speaks the LDAP protocol langage. Identities are stored in an LDAP directory, which is provisioned via LDAP protocol. Authentication is done by the application that asks the user’s credentials and validates them against the directory via LDAP protocol.
This architecture tackles the two main drawbacks of the only LDAP approach : the missing single sign-on and the security vulnerability. Authentication is delegated to other web protocols (like OAuth, OIDC or SAML). This way, the user logs in only once to the identity provider.
On modern web infrastructure, LDAP started to be abandoned because loose provisioning can also be done via SSO protocols.
SCIM solve the remaining problems via a simple standard web api. This infrastructure is event driven, a provisioning action on the IdP is quickly passed on all applications.
| LDAP | LDAP & SSO | SSO | SSO & SCIM | |
|---|---|---|---|---|
| Easy to implement |
Mature but old and difficult |
Mature but old and difficult |
Simple and web native, but non-standard IdP |
Cli or UI could be used on IdP or on apps |
| Many implementations |
Not a lot of implementations yet |
|||
| Single sign-on |
User must sign-on each application |
|||
| No trust issues |
Expose user’s credentials to each application |
??????? |
Zero trust in applications |
Zero trust in applications |
| Scalable provisioning |
By diffing, each app reads all and compares it |
By diffing, each app reads all and compares it |
No diffing, modern storage, SQL database can be used |
Real time atomic provisioning |
| Scalable provisioning |
Only when apps trigger it or when the user logs in |
Only when apps trigger it or when the user logs in |
No way to remove a user from the application |
|
| GDPR Compliant |