- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
With a distributed and ever-expanding infrastructure across servers and data centers, administrators struggle to manage separate user stores for access to each database, SaaS app, or other resource. To simplify identity management and access provisioning, you might choose to integrate Active Directory (AD) with your databases and applications using their native APIs, connectors, or toolkits.
As the number of integration points increases (e.g. Oracle, Snowflake, PostgreSQL, etc.), so does the manual effort required to secure access. This problem won’t disappear anytime soon. For global cloud databases alone, research forecasts the market doubling from $12 billion in 2020 to $24 billion by 2025. As your technology stack continues to grow, you’ll need a way to simplify your Active Directory integration and take full control of provisioning access, including onboarding, off-boarding, and auditing changes to user credentials and resource permissions.
Before delving into the “how,” let’s take a step back and understand the significance of Active Directory in your infrastructure.
Active Directory and Its Role in the Infrastructure
Originally released in 1999, Active Directory (AD) is a widely used Windows directory service implementation that contains information about objects such as users, computers, printers, files, and folders in an organization’s network. Active Directory’s domain controllers handle authentication requests and authorize access to network resources through access control lists.
Since its release, Microsoft has extended Active Directory into a collection of services that enable identity management, including DomainServices, Certificate Services, Rights Management Services, and Lightweight Directory Services. Active Directory is the umbrella term used to refer to all these services. To address the challenge of authenticating users to out-of-network resources, Microsoft also created Active Directory Federation Services (ADFS) to enable single sign-on (SSO) via a claims-based authentication mechanism. When a user accesses external resources, the ADFS server authenticates user requests against the AD server and then passes on a token to the external resource to validate the sign-on request.
Today, 29% of organizations use ADFS. Of those companies, 21% are small (<50 employees), 47% are medium-sized, and 33% large (>1000 employees). As organizations expand their infrastructure, Active Directory has become crucial for authentication against other databases and servers.
Lightweight Directory Access Protocol (LDAP) and Active Directory (AD)
LDAP is an open-source, cross-platform protocol used to manage and access directory services. It is a subset of the standards contained in the X.500 directory access protocol. LDAP defines structures, formats, and rules that govern the communication of client applications with directory services, as well as the structure of client requests, server responses, and data formats.
Admins can use LDAP to search for a user in a directory, add, delete, and modify objects of a directory, authenticate users to access resources in a network, and more. Directory services such as Active Directory, OpenLDAP, and IBM Directory Server all support LDAP.
Since it can support multiple platforms and operating systems, LDAP is an important piece of an expanding infrastructure. If your client implements LDAP — whether it's a Windows desktop, a Linux machine, a SaaS app, or a database application — it doesn't matter which directory service is on the other end of the LDAP server. LDAP enables organizations to tap into the vast database of users, devices, and resources stored in Active Directory.
Learn more about the difference between LDAP and Active Directory (AD).
Single sign-on (SSO) and Active Directory
In a single day, users need to access multiple cloud-based and on-premise applications. Single sign-on (SSO) solutions allow users to login to multiple applications with just one set of credentials, eliminating the hassle and risk of managing different combinations of usernames and passwords. To enable single sign-on with Active Directory, you’ll need to use ADFS or a third-party tool. However, expect some challenges regardless of the path you choose.
- Though a free solution, Active Directory Federation Services takes a considerable amount of effort and investment to manage and administer. Organizations often face hidden costs setting up the infrastructure — for instance, obtaining a Windows Server license and configuring servers to host the ADFS services. Additionally, you need to develop customizations to make it function as a complete SSO solution. For instance, you need to generate claims for each application or database that you aim to integrate with AD and maintain the single sign-on connections.
- Many databases provide their own integration tools and APIs to facilitate integration with AD. For example, Oracle provides configuration tools such as Oracle Net Configuration Assistant and Database Configuration Assistant to enable Windows users, who have been authenticated using AD, to directly access the Oracle database without having to re-enter their login credentials.
- But most of these tools only allow a one-to-one integration between that particular database and AD. This means admins need to repeat the process for each additional resource.
Implementation of single sign-on in Active Directory brings a certain level of complexity. A third-party solution can simplify the process by federating Active Directory’s access to multiple SaaS applications and databases residing in the cloud.
Integrate Active Directory with any database or SSO
If you plan to configure resources in a distributed infrastructure to authenticate against Active Directory, you know the repetitive and manual work it will require. A proxy-based control plane can help you eliminate complicated configuration. StrongDM integrates with Active Directory, or any other directory service or single sign-on provider, to authenticate users and securely route traffic to any destination resource, regardless of where it’s hosted.
From a single control plane, admins can onboard or off-board users, assign and modify role-based access, and audit all user activities.
Decrease manual effort and streamline the provisioning process with StrongDM. Try today with a free, 14 day trial.
About the Author
Justin McCarthy, Co-founder / CTO, originally developed empathy for Operations as a founding and pager-carrying member of many operations and data teams. As an Executive, he has led Engineering and Product in high-throughput and high-stakes e-Commerce, financial, and AI products. Justin is the original author of strongDM's core protocol-aware proxy technology. To contact Justin, visit him on Twitter.