Identity Lookup – Cloud Directory Authentication without LDAP
What is Identity Lookup?
Identity Lookup, or ID Lookup, is very similar to the user lookup function sometimes used in credential authentication with LDAP. It’s a tool that allows the RADIUS to check validation requests against the directory and make policy decisions based on user properties.
Where LDAP is limited to a select few identity providers (IDPs), all of which are on-prem, Identity Lookup can perform the same functions for a wider variety of Cloud IDPs:
- Okta
- Azure
- G Suite
For the first time, you can perform user lookup in an all-cloud environment, even if you’re using certificate-based authentication.
How Does Identity Lookup Work?
One of the key differences between credential-based authentication and certificate-based RADIUS authentication is the resource they check authentication requests against.
Credential-based systems typically use LDAP to check their identity provider, usually Active Directory (AD), to decide whether the credentials are valid or not. Assuming the login information matches what is stored in the directory, the request is authenticated.
Since a certificate-based system doesn’t require the user to input a username or password, there is no need to check the directory. The RADIUS has a list of trusted Certificate Authorities (CAs), and if the certificate presented was signed by a CA on that list and the public and private key are a match, then the certificate is good to go.
The only check a RADIUS makes for certificate-based authentication is the Certificate Revocation List (CRL), a list of manually revoked certificates. Administrators will revoke a user’s certificates when their permissions change, such as in the case of promotion or leaving the organization.
Identity Lookup adds another step to the certificate authentication process. Much like LDAP accesses the directory to check user profiles, Identity Lookup uses a lightweight API to make secure requests of your cloud directory. The RADIUS can grant access based on the information stored in the directory, rather than just on the presence of a valid certificate, which paves the way for a dynamic RADIUS.
Eliminate Certificate Management
The implications of the above are enormous.
Certificate management is a cumbersome task at the best of times; it’s daunting enough that some companies willingly give up the increased security of certificates and settle for simpler credentials. Very complex and expensive solutions have been built around efficiently managing certificates, including some of our own products.
All of that is unnecessary because of Identity Lookup. It shifts the emphasis from certificate management to user management. Currently, when an employee leaves an organization or has their responsibilities change, someone has to go in and manually revoke each certificate issued to them… then issue new ones that reflect the updated permissions.
This is necessary because policy is enforced on a certificate-level, which itself is necessitated because the RADIUS didn’t have direct access to the directory before. With Identity Lookup, user attributes can be stored in the directory, rather than on the certificate, where they can be read at runtime to enforce policy decisions – the core functionality of dynamic RADIUS. Instead of revoking and reissuing a static certificate, you simply need to edit user attributes and the updated permissions propagate immediately.
That makes for a much safer and more reliable alternative to certificate management, since no one has to remember to find and add every certificate to the CRL.
Passwordless Wi-Fi Solution for Major Cloud Directories
Identity Lookup is one of those rare solutions that is both more convenient and more secure than the technology it replaces. Furthermore, it paves the way for the introduction of dynamic RADIUS authentication.
This is your opportunity to fully take your network to the cloud, and SecureW2 can help every step of the way. We have affordable options for organizations of all sizes, click here to see our pricing.
The post Identity Lookup – Cloud Directory Authentication without LDAP appeared first on SecureW2.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Patrick Grubbs. Read the original post at: https://www.securew2.com/blog/identity-lookup-cloud-directory-authentication-without-ldap/
