LDAP Authentication vs. SSO in Moodle: Plain Bind vs. Identity Provider

LDAP and SSO are fundamentally different approaches to user authentication in Moodle. LDAP performs credential lookups directly against a directory service; SSO delegates authentication to a centralized identity provider. Understanding the distinction helps you choose the right approach for your setup.

LDAP Authentication

With Moodle’s LDAP plugin, each Moodle instance authenticates users itself by querying an LDAP directory — typically an on-premises Active Directory server accessible over the local network. When a user logs in:

1. Moodle connects to the LDAP server and queries the credentials.
2. If the credentials match, Moodle checks whether the user account exists locally; if not, it creates one.
3. Moodle creates a session.

This works well when your LDAP server is on the same network as Moodle. It is not SSO — each Moodle instance authenticates independently, so a user with access to three instances must log in to each one separately.

Single Sign-On (SSO)

An SSO solution centralizes authentication in a dedicated identity provider (IdP) — such as Azure AD, Okta, or any SAML2-compatible service. When a user logs in to a connected application:

1. The application redirects the user to the IdP.
2. The user authenticates once at the IdP — or is recognized as already authenticated.
3. The IdP redirects back with the outcome and the user’s profile data.
4. Moodle checks whether the user account exists locally; if not, it creates one.
5. Moodle creates a session.

Moodle never sees the user’s credentials — it only receives the result from the IdP. If the same user then accesses a second Moodle instance, they are already authenticated at the IdP and pass through without logging in again.

Azure AD: LDAP Is Not Available by Default

Azure AD (Entra ID) is a cloud service and does not expose a traditional LDAP endpoint. To use LDAP with Azure AD, you would need to set up Azure AD Domain Services (AD DS) — a managed domain add-on that does expose LDAP. This is a complex configuration and carries meaningful security risk: exposing LDAP over the internet is roughly equivalent to opening a database port publicly.

For Azure AD environments, SSO via SAML2 or OIDC is the straightforward and recommended path. If you do need to evaluate AD DS, these references cover the setup:

• Domain Services product page
• How to set up Domain Services
• How to configure LDAP with AD DS

Which to Use

Use LDAP if:

• You have an on-premises Active Directory server on the same network as Moodle.
• You have a single Moodle instance, or separate logins per instance are acceptable.

Use SSO if:

• Your identity provider is cloud-based (Azure AD, Okta, Google Workspace, etc.).
• You have multiple Moodle instances or other applications that should share a single login.
• You want to decouple Moodle from the specifics of where credentials are stored.