How OneLogin is bridging cloud and on-premise directories

March 10th, 2017   /     /   smarter identity, product and technology

Many of our customers use OneLogin as a standalone cloud directory and it meets their needs perfectly: Simple configuration, fast deployment, and all of their apps and data are in the cloud. Some of our customers, however, prefer to keep their existing user stores such as Microsoft Active Directory, LDAP, or both; and use OneLogin in order to simplify management of their user identities and make them more easily accessible .

A directory connector, also called an identity bridge, syncs user identity information between directories and cloud services. In the case of legacy directories such as OpenLDAP or Active Directory, it is typically a software component which runs on-premise but connects to a cloud directory. For many enterprises, a directory connector is a key component of their hybrid architecture, enabling them to move to cloud without ripping out essential legacy systems.

OneLogin offers a variety of directory connectors to synchronize users with any number of directories, such as Active Directory, LDAP, Workday, or G Suite (formerly Google Apps). Administrators can use OneLogin to import custom user attributes and pass them on to downstream apps via SAML, SCIM, or API-based provisioning.

We recently updated our LDAP Directory Connector (LDC), a complete rewrite that improves performance, scales to over a million users, and works reliably with virtually any standard LDAPv3 schema — even extended schemas. It’s a snap to install, configure, and tune. And it provides near feature parity with the Active Directory Connector, bringing support for OneLogin-to-LDAP provisioning, password resets, and user authentication.

In addition, we have recently updated our Active Directory Connector (ADC). Our latest major revision of OneLogin Active Directory Connector performs better than ever, and it’s easier to use with firewalls and HTTP proxies. Version 5 of our ADC keeps all the good stuff from v4 and adds improved multiplexing, new runtime libraries and web sockets over ports 80 and 443 that make it firewall-friendly, and HTTP proxy support with Windows domain authentication. This version requires Windows Server 2012+ and .NET 4.5. If you are not yet familiar with ADC, you should familiarize yourself with additional benefits such as the Desktop SSO, which allows your users to authenticate with OneLogin without being prompted for a OneLogin username and password, using instead Integrated Windows Authentication (IWA).

Both our Active Directory and LDAP Directory connectors are bi-directional connectors. Our Active Directory Connector also offers a real-time sync thanks to its use of Active Directory Change Notifications. This means that user identity creates, updates, deletes and suspends are pushed from AD to OneLogin and other apps within seconds. This provides IT with an instant kill switch when employees leave, eliminating the possibility of a breach from an ex-employee. And when you are onboarding many new employees at once — think seasonal workers, students, or an acquired company — realtime sync speeds up the process.

Be sure to also check out our integrations with other directories such as G Suite, Workday, Namely and UltiPro. Whichever user store you use, we got your back.

About the Author

Jonathan Bennun is a Product Management leader with over 15 years of experience in various roles in the tech industry, including software engineering, consulting and product management. Now at OneLogin, he leads the Devices and Authentication teams. His primary mission is to deliver new, innovative services and to improve the customer user experience on web and mobile.

View all posts by Jonathan Bennun