This is something that has popped up our organization and I am looking for a word of advice on it. We all used windows active directory and there were no issues until few application groups have figured out they either get too little support from the organization’s IT infra team or they don’t feel they are able to solve their needs within given infra environment. This all ended up having a few applications that use domain’s active directory, a couple that use active directory but they as well use their own LDAP for settings access permissions to their applicaions and another application (that’s quite outstanding here – Ciebel CRM) that uses their very own authentication model because they require external users in their application and local policy doesn’t allow creating them within the AD domain.

It has worked out until now that we have to hook them into some sort of integration. We can’t move all of them to organization’s active directory (this option would be the one I prefer), and there are a few very strong reasons why this is not possible.

So I was thinking if there is a authentication server (or whatever this may be called) that’s able to authenticate a user against multiple user sources? Say, company’s AD (for all apps that only use that are their source or user data and so on) and another LDAP server (or something else) that could be used for applications that need both “external” and internal users to be able to authenticate with them?

Couple more bits of information on this if helpful at all – the apps are a mixture of C++, Java, .NET and web applications. The integration I’ve mentioned is typically something like: appliction A sends a message or pulls a service to application B and attaches user token to it and I’m expecting application B to be able to talk to the auth server and understand if that’s a valid user token and what that user’s group/attributes are.