█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Identity and Access Management/Directory Services and SSO
40 minIntermediate

Directory Services and SSO

After this lesson, you will be able to: Explain how Active Directory, LDAP, SSO, OAuth, and OIDC fit together in modern identity systems.

Real organizations don't manage identity per app, they centralize it. This lesson covers directory services (the canonical user list), single sign-on (one login for many apps), and the OAuth/OIDC protocols that power 'Sign in with Google' everywhere.

Prerequisites:Access Control Models

Active Directory and LDAP

A directory service is a database of users, groups, devices, and policies. Microsoft Active Directory dominates enterprise IT, it stores who works at the company, what groups they're in, and what they can access on every Windows machine. LDAP is the protocol AD speaks; you can query 'all users in the engineering OU' with a few lines of code.

example.comdomain root
└─OU=Engineering
  └─alice
  └─bob
└─OU=Sales
  └─carol
  └─dave
Active Directory organizes users into a tree of Organizational Units (OUs). Group Policy and permissions flow down the branches.

Single Sign-On (SSO)

SSO lets a user log in once and then access many services without re-authenticating. The user authenticates with the identity provider (IdP). Okta, Microsoft Entra, Google Workspace, and the IdP issues a token the apps trust. Benefits: one strong password instead of dozens, central MFA, instant offboarding when a user leaves.

OAuth 2.0 and OpenID Connect (OIDC)

OAuth is for authorization, 'this app can read my Google contacts'. OIDC is OAuth + identity, it adds an ID token that proves who you are. When you click 'Sign in with Google', that's OIDC. Behind the scenes the app redirects you to Google, you approve, Google sends the app an ID token, and the app trusts it.

User
clicks Sign in
↓
App
redirects to the IdP
↓
IdP login page
user authenticates
↓
Redirect back
with a one-time auth code
↓
App exchanges code
receives ID token + access token
OpenID Connect authorization code flow. The app never sees the password, only the tokens it gets back.

💡 Why this matters at every job

Almost every modern company uses an SSO provider. Knowing how SAML and OIDC work makes you instantly useful, most onboarding/offboarding tickets touch one of these.

Querying LDAP in Python

A simplified LDAP search to find all users in a department.

python
from ldap3 import Server, Connection, ALL
server = Server('ldap.example.com', get_info=ALL)
conn = Connection(server, 'cn=admin,dc=example,dc=com', 'password', auto_bind=True)
conn.search(
'ou=Engineering,dc=example,dc=com',
'(objectClass=person)',
attributes=['cn', 'mail']
)
for entry in conn.entries:
print(entry.cn, entry.mail)
Quick Check

What's the difference between OAuth and OIDC?

Choose the best one-line answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Access Control Models
Back to Identity and Access Management
Privileged Access Management→