Highlighted
Knowledge Partner
Knowledge Partner
86 views

NMAS SAML eDir bind vs LDAP Proxy bind in IDM Dash performance

IDMProv post 4.01 or 4.02 started supporting SSO to user app by using the eDir NMAS SAML method, where UA forms a SAML trust with eDir and since the login to UA is possibly SAML (Unrelated SAML) or Kerb or something that does not carry a password with it, so UA cannot do a login to eDir as the user and password.  Instead since UA trusts the user (Kerb/SAML/name-password) it asserts to eDir that the user is trusted.

eDir trusts UA and lets the user connect and query eDir for PRD forms or requests and use their eDir permissions.  A very clever model.

In IDMDash, I guess since IDM 4.5 or 4.6 this step was replaced in parts with the LDAP Proxy bind control to eDir. (You can LDAP bind to eDir as cn=admin,o=acme, but using the Proxy control specify that I wish to view the directory as cn=JoeShmoe,ou=users,o=acme.  This too is super clever.

I think LDAP Proxy Bind support was added in eDir 9.something. (Anyone know offhand?  9.0? 9.1? 9.2?  I suspect 9.0 but would like to be certain).

What I am curious is, how does performance compare?

Say you bind to eDir via NMAS SAML and query 100,000 roles, checking Effective Permissions to see which Roles your bind user has permission to Grant.  How does that perforance compare to the LDAP Proxy bind for the same? 

(IDMPRov still seems to use the NMAS SAML for the PRD rendering/queries and whatnot.  idmdash/idmadmin seems to use LDAP Proxy Bind for when you request a permission (Role/Resource/PRD) access.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.