NMAS SAML eDir bind vs LDAP Proxy bind in IDM Dash performance
IDMProv post 4.01 or 4.02 started supporting SSO to user app by using the eDir NMAS SAML method, where UA forms a SAML trust with eDir and since the login to UA is possibly SAML (Unrelated SAML) or Kerb or something that does not carry a password with it, so UA cannot do a login to eDir as the user and password. Instead since UA trusts the user (Kerb/SAML/name-password) it asserts to eDir that the user is trusted.
eDir trusts UA and lets the user connect and query eDir for PRD forms or requests and use their eDir permissions. A very clever model.
In IDMDash, I guess since IDM 4.5 or 4.6 this step was replaced in parts with the LDAP Proxy bind control to eDir. (You can LDAP bind to eDir as cn=admin,o=acme, but using the Proxy control specify that I wish to view the directory as cn=JoeShmoe,ou=users,o=acme. This too is super clever.
I think LDAP Proxy Bind support was added in eDir 9.something. (Anyone know offhand? 9.0? 9.1? 9.2? I suspect 9.0 but would like to be certain).
What I am curious is, how does performance compare?
Say you bind to eDir via NMAS SAML and query 100,000 roles, checking Effective Permissions to see which Roles your bind user has permission to Grant. How does that perforance compare to the LDAP Proxy bind for the same?
(IDMPRov still seems to use the NMAS SAML for the PRD rendering/queries and whatnot. idmdash/idmadmin seems to use LDAP Proxy Bind for when you request a permission (Role/Resource/PRD) access.