Is there an SSO mechanism supported as widely as LDAP?

Question

LDAP is pretty amazing. It lets you set up a bunch of web services that all share a common user database (or rather, directory), so you can have a WordPress installation, a NextCloud, a MediaWiki etc, all of which let you log in with the same user credentials, after you've registered an account on any of them. You don't need to program anything yourself; all this software either supports LDAP out of the box or has well-maintained plugins to offer it.

There's only one problem: LDAP can't help different web services share their login sessions (cookies), so when you log in to one service you're not automatically logged in to any others. You have to log in to each and every service with the same username and password.

So my question: is there a technology that's as widespread as LDAP (in terms of being supported by all kinds of software) which solves the user session sharing problem? Something that's, let's say, supported at least by WordPress, NextCloud, and MediaWiki?

Answer 1

This is the traditional space for "web access management" (WAM) systems, like Siteminder, Oracle Access Manager, PingAccess, etc. They provide "single sign on" (SSO) to various applications, giving those apps identity data via headers or similar.

In the recent years, web administrators have started utilizing signed and encrypted JSON Web Tokens (JWT) within common domains (e.g., *.contoso.com) via cookies. A JWT can be standalone, is verifiable via the signature, and is secure due to the encryption. It can be combined with OIDC, OAuth refresh token mechanisms for ensuring that continued access to an application is required (based on some business rule somewhere) etc.

All of the applications you mentioned have mechanisms that can use OIDC, JWT, SAML, etc. Ultimately, no one can hand you a "silver bullet" that will magically cover everything that is out there - you're going to find things that simply weren't meant for that sort of authentication. Usually though, it's some piece of legacy software that was last updated 12 years ago, EOL'd 8 years ago, and no one has cared enough to upgrade it. Or wanted to pay for it.

Your best strategy is to figure out all the things that you want to SSO into. Then, look at SSO options for those things. I would start with OIDC as a primary, and then headers as a secondary (you could use something like mod_auth_openidc for Apache to push headers from an OIDC id_token to an application that can consume headers for OIDC). That should get you 90+% of the way there.