Every customer with more than a few staff eventually asks the same question. Can our staff log in using the accounts they already have. Supporting LDAP or single sign on sounds like a small feature until you actually build it, since it touches three different problems at once, checking who someone is, setting up their account, and deciding what they can do. Getting any one of these wrong creates either a security hole or a locked out office on a Monday morning. Here is a clear plan for getting all three right.
LDAP or single sign on answers one question only. Is this really the person they say they are. It does not answer what they should be allowed to do inside your application. Keep these two ideas apart in your design. Let the directory service confirm identity, but keep your own role and permission setup as a clear, visible step. Do not assume a group in the directory maps directly to a role in your app without a clear table that an administrator controls and can check at any time.
Directory servers go down. Network settings get changed by mistake. Certificates expire. If your login process has no backup plan for when the directory cannot be reached, one small network problem can lock out an entire customer's staff at the same time, which is exactly the kind of event that ends up being discussed when it is time to renew a contract. Decide on purpose whether a local account should still work for at least one emergency administrator, and test the directory is down case just as seriously as you test the normal login.
When someone logs in through the directory successfully for the first time, what happens to their account inside your app. Creating an account automatically on first login is convenient, but it means anyone with valid directory details gets an account right away. That is fine for some companies and not acceptable for others who want their own staff to set up new accounts by hand before a new employee's first day. Make this a setting each customer can choose, not something built in as the only option.
Turning off a departing employee's directory account should show up in your app quickly. But if your system only checks identity at the moment of login, and never checks again during an active session, someone who has already left the company can keep using a session that started before they were removed, until that session naturally runs out. For anything sensitive, check session validity against the directory again from time to time, not only once at login.
When a directory login fails, save enough detail, without saving the actual password, to tell apart a wrong password, a locked account, and a directory that simply could not be reached. The support conversation and how urgent it is are completely different for each of these, and a single generic login failed message gives your support team nothing useful to act on.
Follow these five steps in order, and a feature that sounds simple on a sales call will actually hold up the first busy Monday morning after launch.
Maybeach Tech connects business applications to company directories without turning Monday morning logins into a recurring risk. Get in touch and tell us about your setup.
