Our office has switched almost entirely from Windows to Mac OS X, and our local server is due for replacement. We use Active Directory basically just for user authentication. We're considering replacing the current Windows Server with a Mac Mini running OS X Server. I don't yet know much about Open Directory, but is it possible for it to proxy authentication requests against a SAML v2 Identity Provider? I ask because we do quite a bit of work in a management system that is capable of acting as a SAML 2 IdP and we have set up Google Apps to authenticate against it. It would be extremely helpful to be able to authenticate local network resources against it as well.

  • 213
  • 4
  • 11
  • Don't migrate to OS X Server, because its future is more than uncertain. Apple has converted this from a once good product to a toy for SOHO users and there is no telling what stupid ideas they have for this in the future. – Sven May 06 '14 at 15:46
  • I'm not unaware of Apple news and speculation. – samh May 06 '14 at 19:09

2 Answers2


Open Directory has an LDAP backend so you would use something like simplesamlphp with LDAP to get what you want.

However, some big caveats.

If you’re happy with your Windows Server experience there are very few compelling reason to switch to OS X and Open Directory. Apple has put a lot of work into making OS X a good Active Directory client. For a broad overview see their whitepapers on the topic:

Mountain Lion http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf

Mavericks http://training.apple.com/pdf/wp_integrating_active_directory_mav.pdf

Migrating from one directory system to another one is a big project and AD has superior vendor support from Microsoft. I say this as a system administrator who has used both products extensively. Every version of Open Directory I’ve deployed has had a significant bug sooner or later. The last one I encountered was a bug in Mountain Lion Server's LDAP authenticaton that caused the server to crash every ~24 hours when under normal load. The workaround was a script that restarted the service every hour. The real fix didn’t come until Mavericks was released. Apple never acknowledged the bug in any release notes, nor did normal AppleCare. To get any help (in this case, acknowledgement of the bug and that our workaround was the correct workaround) came from enterprise AppleCare.

If you really want to migrate to an Apple server then the enterprise support contract is mandatory. You can get more information on it here:


Hope that helps.

  • Maybe I'm not understanding the actual answer you posted (as opposed to the supplementary material), but I don't see how an LDAP backend in Open Directory helps me. I need to connect Open Directory to a SAML identity provider. Everything else we use already connects to this provider. – samh May 08 '14 at 20:47
  • My mistake. I misread your question as wanting to connect a SAML identity provider to Open Directory instead of the other way around. There is no built-in support in OD for what you appear to want to do. You would have to develop a new plugin for OD that understands and interacts with your chosen SAML identity provider. That’s a big rabbit hole. https://developer.apple.com/library/mac/documentation/networking/Conceptual/Open_Dir_Plugin/Introduction/Introduction.html – boyonwheels May 08 '14 at 22:09
  • If you make your "No…but here's how" into an answer, I'll accept it as the answer. – samh May 09 '14 at 13:28

If your AD environment uses Kerberos for authentication, then in principle, moving from the AD functions to a combination of a Kerberos server (e.g. MIT's krb5) and an LDAP server would work (running on Linux). Mac OS X clients supports Kerberos authentication and SSO; Safari (and Chrome, Firefox) support SPNEGO extension for handling Kerberos auth over HTTP. OAuth2 or SAML IdP is a mechanism for proving the identity for your users to external service providers (e.g. Google Apps).

  • 111
  • 1