We’re wrestling with how to tie Coupa eProcurement into Active Directory for Single Sign-On support for Windows environments.
It all comes down to whether to use IIS and it’s built in authentication layer to provide a “no code” LDAP & Single Sign-On capability. The downside is that we’d be using the Ruby binding to IIS which isn’t as mainstream as we’d like. A second downside is that instead of a nifty “pack of Mongrels” to execute the Ruby code we’d be using FCGI in IIS.
The other route is to stick whit Apache 2.2 with a pack of Mongrels and poke into Active Directory via LDAP calls. But that integration option requires knowing the “topology”, or how Active Directory’s LDAP is structured on a per customer basis.
Here are the details of what we are currently considering for customers who already have a Microsoft network in place with IIS and Active Directory:
-
- FCGI behind IIS
- Pros: Quite common, keep existing IIS, free Single Sign On
- Cons: IIS headaches, FCGI headaches, discouraged in Rails community
-
- Mongrel behind RForward in IIS
- Pros: Keep existing IIS without FCGI headaches, free Single Sign On
- Cons: RForward not maintained anymore
-
- Mongrel behind Apache 2.2
- Pros: Common, we have experience
- Cons: Require customer to change infrastructure, need to integrate with Active Directory
RForward looks like a very attractive option, but we will need to try it out to see how stable it is. Since it is open source, and was itself developed in an open source tool, we might even be able to fix issues we find!
