LDAP Bridge
Enterprise LDAP connectivity through modern identity bridges
Portkey provides LDAP integration support for enterprises through industry-standard identity provider bridges. This approach enables organizations to maintain their existing LDAP infrastructure while benefiting from modern cloud-native authentication protocols.
Overview
Rather than implementing native LDAP support, Portkey leverages proven bridge solutions from leading identity providers. This strategy offers:
- Enhanced Security: Modern token-based authentication with MFA support
- Improved Scalability: Cloud-native architecture without on-premises limitations
- Reduced Complexity: Leverage specialized identity provider expertise
- Future-Ready: Seamless path to modern protocols
How LDAP Bridging Works
LDAP bridge solutions translate between your existing LDAP directory and Portkey’s modern authentication protocols (SAML, OIDC, SCIM).
Architecture Overview
The bridge maintains synchronization between your LDAP directory and the identity provider, enabling:
- User Authentication: LDAP credentials validated through SAML/OIDC
- User Provisioning: Directory changes synchronized via SCIM
- Group Management: LDAP groups mapped to Portkey workspaces
- Attribute Mapping: Custom LDAP attributes preserved
Supported Identity Providers
Azure AD Connect
- Synchronizes on-premises AD to Azure AD
- Supports password hash sync or pass-through authentication
- Enables SAML, OIDC, and SCIM for cloud applications
- Free tier available, Premium features $6-9/user/month
Best For: Organizations already using Microsoft 365 or Azure services
Okta LDAP Agent
- No credential replication to cloud
- Real-time authentication against LDAP
Best For: Organizations with on-premises AD
Okta LDAP Interface
- No on-premises infrastructure required
- Simplified management
Best For: Organizations with on-premises AD
Alternative Solutions
- OneLogin Virtual LDAP: Cloud-based LDAP service
- Auth0 AD/LDAP Connector: Developer-friendly integration
- Keycloak: Open-source option with enterprise features
- JumpCloud: Directory-as-a-Service with LDAP support
Azure AD Setup
Requires Azure AD Connect installed on-premises with connectivity to your domain controllers.
Install Azure AD Connect
Configure Synchronization
Authentication Method
Authentication Method
- Password Hash Sync (recommended)
- Pass-through Authentication
- Federation (advanced)
OU Selection
OU Selection
- Select OUs to synchronize
Attribute Filtering
Attribute Filtering
- Configure attribute filtering
Enable Portkey SSO
- Navigate to Azure Portal > Enterprise Applications
- Add new application > Non-gallery application
SAML Configuration
SAML Configuration
- Entity ID: get from Portkey Control Plane.
- Reply URL: get from Portkey Control Plane.
- Sign-on URL:
https://app.portkey.ai
Configure SCIM Provisioning
Provisioning Setup
Provisioning Setup
- In application settings, go to Provisioning
- Set mode to Automatic
- Configure with Portkey SCIM endpoint and token
Attribute Mapping
Attribute Mapping
- Map attributes according to SCIM setup guide
Okta Setup
Using Okta LDAP Agent
Download and Install Agent
- Access Okta Admin Console
- Navigate to Directory > Directory Integrations
- Add LDAP Directory > Download Agent
- Install on server with LDAP connectivity
Configure LDAP Connection
Set Up Portkey Integration
- Create SAML application following SSO guide
- Enable SCIM provisioning per SCIM guide
- Configure attribute mappings
Using Okta LDAP Interface
Enable LDAP Interface
- Okta Admin > Directory > LDAP Interface
- Generate LDAP credentials
- Note the LDAP endpoint URL
Configure Applications
- Point LDAP applications to Okta endpoint
- Use generated credentials for binding
- Test authentication flow
Attribute Mapping
Ensure critical LDAP attributes map correctly:
| LDAP Attribute | SCIM Attribute | Portkey Field |
|---|---|---|
| uid/sAMAccountName | userName | username |
| emails[primary] | ||
| givenName | name.givenName | firstName |
| sn | name.familyName | lastName |
| memberOf | groups | workspaces |
| title | title | jobTitle |
Custom LDAP attributes can be mapped through extended schema support in most identity providers.
Troubleshooting
Authentication Failures
Authentication Failures
Symptom: Users cannot log in despite correct credentials
Causes:-
Certificate validation errors
-
Time synchronization issues
-
Incorrect attribute Mapping
- Verify SSL certificates are trusted
- Ensure NTP synchronization
- Check authentication logs in identity provider
Provisioning Errors
Provisioning Errors
Symptom: Users not appearing in Portkey or incorrect attributes
Causes:- SCIM endpoint connectivity issues
- Attribute mapping conflicts
- Insufficient permissions
- Test SCIM endpoint with bearer token
- Review attribute mapping configuration
- Verify service account permissions
Performance Issues
Performance Issues
Symptom: Slow authentication or provisioning
Causes:- Unindexed LDAP queries
- Network latency
- Large group memberships
- Add indexes for commonly queried attributes
- Deploy bridge closer to LDAP servers
- Implement group filtering
Best Practices
High Availability
Deploy multiple bridge instances
Configure load balancing
Implement health monitoring
Security Hardening
Use LDAPS (LDAP over SSL) always
Implement service account restrictions
Enable audit logging
Performance Optimization
Cache frequently accessed data
Implement connection pooling
Monitor query performance
Frequently Asked Questions
Why doesn't Portkey support native LDAP?
Why doesn't Portkey support native LDAP?
Modern cloud architectures benefit from stateless, token-based protocols. LDAP’s stateful binary protocol creates security and scalability challenges in cloud environments. Industry leaders like Slack, Salesforce, and others follow the same approach.
Will this increase our costs?
Will this increase our costs?
While identity provider licenses add cost, most organizations see overall savings through:
- Reduced infrastructure maintenance
- Improved security posture
- Decreased administrative overhead
- Better user experience
How long does migration take?
How long does migration take?
Typical enterprise migrations complete in 3-6 months:
- Small organizations (<1,000 users): 4-8 weeks
- Medium organizations (1,000-10,000): 2-4 months
- Large enterprises (10,000+): 4-6 months
Can we maintain LDAP for other applications?
Can we maintain LDAP for other applications?
Yes, bridge solutions maintain your existing LDAP infrastructure. Other applications continue working unchanged while Portkey uses modern protocols.
Support
For assistance with LDAP integration:
- Review our SSO documentation for authentication setup
- Configure SCIM provisioning for user management
- Contact [email protected] for integration help
Enterprise customers can request a guided migration workshop. Our solution architects will help design and implement your LDAP bridge strategy.