We’re redesigning authentication and user provisioning for our TC 13.1 configuration management deployment and debating between continuing with LDAP integration versus migrating to SAML federation. Our current LDAP setup works but requires manual group synchronization and doesn’t support SSO with other enterprise applications.
Looking for perspectives on the practical differences between LDAP integration for user sync and SAML federation for authentication in real production environments. Specifically interested in access control model implications - LDAP gives us direct group membership queries, while SAML relies on claims and assertions. How does this affect configuration management workflows where access control is tightly coupled to project teams and change authority?
Has anyone migrated from LDAP to SAML in a live system? What unexpected challenges came up in the access control models and user provisioning workflows?
The access control model difference is significant. With pure LDAP, Teamcenter queries Active Directory directly for group membership during access checks. With SAML, group membership comes as claims in the assertion at login time. This means if someone’s AD groups change mid-session, LDAP-based access control reflects it immediately but SAML-based doesn’t until next login. For configuration management where change authority is dynamic, this can be problematic.
Don’t overlook the provisioning workflow differences. LDAP integration typically uses scheduled sync jobs that pull user and group data from AD. SAML with SCIM (System for Cross-domain Identity Management) enables real-time provisioning - new users are created in Teamcenter automatically on first login. For configuration management with frequently changing project teams, real-time provisioning is much cleaner than batch sync jobs that might run only nightly.
<saml:AttributeStatement>
<saml:Attribute Name="groups">
<saml:AttributeValue>CN=ChangeBoard,OU=TC</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
We did exactly this migration on TC 12.4 last year. The biggest surprise was that SAML doesn’t replace LDAP - you need both. SAML handles authentication and SSO, but Teamcenter still needs to query directory services for group membership and organizational structure. We kept LDAP for user provisioning and group sync, added SAML for authentication. The combination gives you SSO plus the group-based access control that configuration management requires. Don’t think of it as LDAP vs SAML - it’s LDAP AND SAML working together.
The point about needing both LDAP and SAML together is eye-opening. I was thinking of it as an either-or decision. Real-time provisioning with SCIM would definitely help with our frequent project team changes. How do you handle the group membership timing issue in configuration management workflows where change authority needs to be current?