LDAP and OpenId connect

Hello ,
I wanted to know what happens after we configure LDAP/AD in a corporate environment. Does AUTH0 still use openid connect ?

This is a scenario for a Mobile App for consumers. How do the enterprise API’s get authenticated after the user gets authenticated with LDAP ?

Any documentation for an end to end flow would be helpful

When configuring an upstream identity provider within an Auth0 tenant (creating a connection of a specific type) means the tenant will be acting as a broker between a downstream client application and an upstream identity provider.

Something like:

  1. client application makes authentication request to tenant (it technically does not need to know which connection types are enabled).
  2. the tenant (assuming there’s no previous authentication session) display a login page where in some way or another the user will be able to make a selection about which method of authentication will be used (in summary, the end-user explicitly or implicitly selects a connection type)
  3. if the connection type selected involves an upstream identity provider then the tenant will orchestrate the necessary steps to authenticate the user.
  4. the tenant returns a response to the client application in accordance to request performed in the initial step.

This means that for the step 1. and 4. the request and response will follow the rules of the protocols the application selected. An application can select OpenID Connect/OAuth 2.0, WS-Federation and SAML.

For step 3. the set of steps performed do NOT need to use the same protocol that the application selected and will vary depending on upstream identity provider. The supported protocols will be OpenID Connect/OAuth 2.0 (social connections being an example), WS-Federation (ADFS connection being an example), SAML (SAML generic connection being an example) and LDAP (the AD/LDAP connection type).

In conclusion, to answer your question, the configuration of an AD/LDAP connection means that the approach used for that connection (LDAP) will be used for the part of the steps involving the connection. However, this does not restrict what the applications you configured in the dashboard may use when initiating the authentication request.