Directory Service
What is a Directory Service?
A directory service is a centralized platform for managing identities, applications, and other network resources in an IT environment. The service stores information about users, devices, and applications and plays a central role in authentication and authorization. During authentication, the directory service verifies a user's identity using a username and a password. If authentication is successful, the user is granted access and authorization, and then determines which permissions the user has within applications and data sources.
Active Directory (AD) and Entra ID (Azure AD) are examples of directory services that streamline and secure access to IT environments. A directory service can be used standalone, but in modern IT environments, it is usually integrated into a broader Identity and Access Management (IAM) environment.
How Does a Directory Service Work?
We can illustrate how a directory service operates using LDAP (Lightweight Directory Access Protocol), a widely used protocol standard for directory services. With LDAP, authentication and authorization work at a high level as follows:
Authentication
During authentication, you verify that a user is who they claim to be. In LDAP, this is usually done through a so-called "bind" operation:
A user attempts to sign in by submitting a Distinguished Name (DN) as the username and a password.
LDAP checks whether the supplied credentials are correct.
If the combination is valid, the user is authenticated and can proceed to authorization.
Authorization
Authorization determines what a user may do after successful authentication:
Permissions are defined in ACLs (Access Control Lists), which specify which users have access to which network resources.
For example, a regular employee may view only their own data, while a system administrator may manage all users. An administrator may create, modify, and remove users.
Directory Service Standards
In the example above, we used the LDAP standard. It is just one example of standard protocols used in directory services. Open standards are important because you want your directory service to integrate with diverse systems. A few widely used directory service protocols are:
LDAP (Lightweight Directory Access Protocol). This is an open protocol for storing and querying directory information that can also be used for authentication and authorization. LDAP uses a hierarchy of users, groups, and devices.
Kerberos. This network security protocol provides strong authentication via encrypted tickets. This enables Single Sign-On (SSO) without sending passwords across the network.
SAML (Security Assertion Markup Language). This is an XML-based standard for sharing identities across domains to support Single Sign-On (SSO). SAML is used in enterprise cloud apps such as Google Workspace and Microsoft 365.
The term lightweight is worth clarifying. It means the protocol is designed for efficiency, avoids sending unnecessary data, and does not require excessive compute from connected devices. LDAP evolved from the older X.500 directory standard, which was much heavier and is therefore used less for modern directory services. A user may interact with a directory service dozens of times per day to access applications and data, so speed is critical. As a result, modern environments rely on lightweight directory services.
Examples of Directory Services
There are numerous directory services in use. Below are several commonly used solutions:
Microsoft Active Directory (AD): This on-premises solution is used in Windows environments for user management and authentication. AD supports protocols such as LDAP and Kerberos. It also uses SAML (Security Assertion Markup Language) to enable Single Sign-On (SSO).
Entra ID: This is the current name for Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management solution. Entra ID supports OAuth, SAML, and OpenID Connect and serves as a broker for access to Microsoft 365 and SaaS apps.
Red Hat Directory Server (RHDS): A commercial enterprise LDAP directory service from Red Hat, suitable for Linux- and Unix-based networks.
Apache Directory Server (ApacheDS): An open-source, Java-based directory service that supports LDAP and Kerberos for identity management.
IBM Security Directory Server: A directory service for large organizations based on LDAP.
Directory Services Within Your IAM Solution
As noted earlier, a directory service is typically integrated into a broader Identity and Access Management (IAM) environment. The directory service supports foundational capabilities such as authentication and authorization. A modern IAM environment extends this with a broader set of features and orchestrates identity and access governance across the entire identity lifecycle, from onboarding through internal moves to offboarding. Below, we outline the added value of IAM functionality compared to directory services using several HelloID modules:
Access Management
Directory services support user authentication and authorization within an IT environment, but not all directory services include additional capabilities such as Single Sign-On and Multifactor Authentication. These are examples of features HelloID can add through the Access Management module.
Provisioning
Technically, you can manage data in Active Directory or Entra ID manually and directly. However, this becomes unmanageable once an organization has hundreds or thousands of users and you must keep their accounts and permissions correct, consistent, and up to date throughout their employment. This is especially true when you also need to comply with all relevant privacy and information security guidelines.
The HelloID Provisioning module ensures that employees are automatically assigned the correct accounts and permissions at all times using Attribute-Based Access Control (ABAC). To accomplish this, the system queries the HR system as the source of truth multiple times per day. Based on a person's current role, department, and location, the system automatically determines the required accounts and access rights. HelloID then propagates these settings to the directory service and other target systems for each employee. Under the hood, your directory service still performs authentication and authorization from a technical perspective. The provisioning module ensures that, in large, complex organizations, all settings are managed in a controlled and auditable manner.
Service Automation
The same applies to the HelloID Service Automation module. Provisioning functionality automatically grants the appropriate accounts and permissions to users whenever possible. There will still be custom changes. For example, someone may need an extra license or access to a data folder to work on a specific project. You could have a Tier 2 administrator make these changes directly in Active Directory. With the Service Automation module, helpdesk staff, managers, or even employees can submit and execute these changes. These are still changes in the directory service, but they are executed much more efficiently and in a user-friendly way.
Governance
With the reporting capabilities and the HelloID Governance module, we ensure that all changes are traceable and that account and access management are evaluated regularly and adjusted where needed. Regular reviews identify loopholes and inconsistencies, keeping the role model current. In this way, IAM functionality is incorporated into the Plan-Do-Check-Act cycle prescribed by ISO 27001 and related security standards.
Want to Learn More About Directory Services?
Want to learn more about how HelloID works with directory services such as AD and Entra ID? Get in contact with us