I'm reading a couple of manual pages today on SAML and the LDAP bridge and trying to understand what connections might exist between the two.
Does anyone have any details they could share on any setups where LDAP and SAML were used simultaneously? Or is that something generally not done?
Alternatively, has anyone done anything using the exposed SAML data to interact with Matrix permissions?
The combination of LDAP and SAML isn’t used that often for the simple reason that many organisations using SAML prefer not to expose their LDAP directory servers. However, it is useful in cases where you want users to be able to log in via SAML SSO, but still use LDAP groups for assigning Matrix permissions (i.e. SAML for authentication, LDAP for authorisation).
In SAML-only scenarios, I gather the usual approach is to set up a login trigger to link users to groups based on a SAML attribute.
Thanks for the reply Marcus. We've got a new Matrix instance with SimpleSAML installed, but we'd normally look to configure group membership manually using LDAP users. Ideally we'd use AD groups exposed through the LDAP bridge but we're still stalled on progressing that work. Since LDAP handles authentication for us directly against our AD, and not via ADFS which SAML would use (e.g. Matrix -> LDAP -> AD instead of Matrix -> SAML -> ADFS -> AD) then I'm left unsure if SAML offers us anything.
Single sign-on would be the main reason, in my experience. If you need permissions based on LDAP groups but have no plans to use SAML SSO, then as you say a pure LDAP setup would probably be simpler.