We're building a web app positioned towards corporations; and have a need to maintain an up to date repository of user data for all corporate users of our web application. We're well aware of how to achieve federated authentication - however we have a need to also maintain a local repository of metadata about a user (think department, position, level, etc) as well as be aware of the lifecycle of users (i.e. if someone has left the company etc), i.e. we need to solve provisioning.
What are best ways to ensure we can synchronize our user repository with arbitrary company repositories (e.g. typically LDAPs such as AD or similar)?
A few approaches we've considered:
- Setting up an LDAP query "pull" from our web app; that regularly polls for user data. Obviously may create a lot of unnecessary data shuffling (when nothing have changed), require an externally (internet) exposed LDAP server from the company which is not ideal security wise.
- Asking our customers to set up an LDAP synchronization engine on their LDAP servers (e.g. install an agent that pushes changes to us) - not ideal as it requires custom installed components & maintenance
- Build support for common (?) protocols for provisioning of users and tie in to some enterprise identity management solution (e.g. SCIM, SPML). What is actually in use today?
Any tips / best practices?
