Active Directory authentication for SaaS product

Question

After some theoretical help on the best approach for allowing a SaaS product to authenticate users against a tenant\'s internal Active Directory (or other LDAP) server.

Answer 1

My understanding is that there are three possible solutions:

1. Installing something on the domain controller to capture all user changes (additions, deletions, password changes) and send updates to the remote server. Unfortunately there's no way for the website to know the initial user passwords - only new ones once they are changed.

2. Provide access for the web server to connect to your domain controller via LDAP/WIF/ADFS. This would probably mean opening incoming ports in the company's firewall to allow a specific IP.

3. Otherwise, bypass usernames/passwords and use email-based authentication instead. Users would just have to authenticate via email once every 3-6 months for each device.

I have to begin implementing this for an upcoming project and I'm seriously leaning towards option #3 for simplicity.