Death to LDAP and SAML – Passport Lives!

Kelly Strain

Death to LDAP and SAML - Introducing Passport

Gone are the days of LDAP, SAML and their clunky backends. Passport trumps these old school technologies and revolutionizes the way you register, login and manage your users. Let’s take a closer look at LDAP and SAML to see how Passport improves on these dated technologies:

LDAP

LDAP stands for Lightweight Directory Access Protocol, yet it is far from lightweight. LDAP is a directory database that is hierarchical and quite complicated. LDAP was specifically designed for larger businesses, hence its corporate nature, directory structure and use of concepts like organizational units, domain names, groups, common names and distinguished names. The database works fairly well for managing logins to corporate networks, company computers and servers. However, when you try to implement this for end user management it quickly becomes overly complex and costly.

Inversoft decided that simplicity was the better policy. Rather than using organizations, domains, units and groups like LDAP, Passport thinks about users the way the world thinks about users – by first name, last name, email and a set of simple roles. For example, a user in Passport might be identified like this: “Jane Doe has the email janedoe@example.com and she has the roles user and community_member in our forum”.

Brian Pontarelli, CEO at Inversoft, uses this analogy: “You can think of the difference between LDAP and Passport similar to the difference between a dial-up BBS and Yahoo.com. Dial-up BBSes were great in the 80s, but the industry has moved forward and so has the technology.” Passport provides a modern, intuitive approach to user management that the technology industry was lacking.

SAML stands for Security Assertion Markup Language. It is the messaging language that two systems use to exchange authentication and authorization data. Unfortunately, it falls short in three main areas:

1. XML

SAML is XML based which is heavy, bloated and hard to read (even for the most experienced developers). SAML lacks the ability to answer the most basic questions of authorization. XML signing and message level encryption lead to lengthy responses and clunky parsing code.

Here is an example of a SAML AuthNRequest sent:

Here is the lengthy SAML response:

Passport solves this decoding nightmare by using a custom API, JSON and OAuth which can register, login and authorize users with ease. Passport’s intuitive API goes above and beyond basic authentication and authorization questions. It stores preferred language, offers discipline and reward options, provides real-time reports and adds user moderation with CleanSpeak integration.

Here is an example of a JSON response with Passport:

 2. Security

SAML requires two levels of encryption and signing, one at the application layer and one at the transport layer (i.e. SSL and XML signing and encryption). This adds additional overhead and complexity, but little in the way of additional security.

On the other hand, Passport leverages OAuth, which only requires this at the transport level. Additionally, the Passport API can be secured via HTTPS and it is always locked via a customizable API key strategy. Passport also adds additional security features for users including two-factor authentication and password strength validation. These security features minimize user risk, maximize security and prevent hacking incidents.

3. Mobile

SAML was first published in 2005. With the recent trend towards cloud computing, there has been an undeniable shift to mobile. SAML did not anticipate this change, therefore in order to use SAML with mobile clients, a complex process is involved.

In contrast, OAuth (Passport’s built-in open authorization standard) was created in 2010 and has taken into account the changes seen in the technology industry. OAuth covers most current needs and has become the simple, effective standard for mobile applications.

Passport

Take Away: With Passport, developers no longer need to wade through massive SAML responses and read through complex LDAP data. By decreasing the development time required to implement user management features like registration, login and single sign-on, Passport saves your company time and money. Passport presents a quick and simple way to setup and integrate a user management system on any device in days – not months.

 

To learn more about Passport, visit https://www.inversoft.com/products/user-management-sso.

 


SAML Code provided by Feide RnD