We have a a web based application that is hosted in the cloud. We want to enable single sign-on for our staff. We are entirely a Microsoft shop. The vendor does not provide any federated services integration. The only way is allow integration via LDAP. They require us to install software on our DC and then allow an LDAP sync on port 389 to one of their servers. What is the best way to to secure this authentication? On the firewall side I only plan on allowing communication between the IP's they provided and only on port 389. We have a reverse proxy, which will handle the requests.
Is there a better way to do this? I hate to install this on our DC. I read an artcile (can't seem to find it now) that suggested installing AD LDS on a server and syning it with AD DS and using the AD LDS server for LDAP syncing.