Supporting Single Sign-On with Active Directory

Question

We have a SaaS app written on .NET and we need to offer various methods of SSO to our customers.

A while ago we standardized on OpenID, hoping that this would become a universal standard and liberate us from having to support different standards. Unfortunately, enterprises never quite got on board with OpenID and we are always asked to support Active Directory. (Our app just needs basic authentication, not fine-grained authorization to use different objects/permissions/etc.)

We're hoping to avoid a lot of extra development -- if we want to offer easy integration to the greatest number of Windows A.D. users, which should we support -- LDAP or SAML? And if SAML, 1.x or 2.x?

Answer 1

Huge difference between LDAP and SAML support for SSO. I would imagine almost every enterprise customer you have will not like you opening up a firewall port directly to their AD/LDAP store containing all their user data. More likely they will have some kind of SAML-based solution in place that provides a MUCH more secure SSO solution. Companies are also starting to push back on employees entering corporate user creds into login forms not hosted by the company (helps reduce phishing).

Since you are already a SaaS, why not use a service that gives your application SAML support so you don't have to? Check out PingConnect for SaaS Providers. [Note: I work for Ping] Nothing to install, just some minor code changes to the auth logic in your application. If you really want an on-premise SAML solution, there are 150+ SaaS Providers using our PingFederate software to provide SAML 1.0/1.1/2.0/WS-Fed protocol support to their customers.

HTH - Ian