For many years, LDAP has been the dominant protocol for secure user authentication for on-premise directories. Organizations have used LDAP to store and retrieve data from directory services and it is a critical part of the Active Directory (AD) ecosystem. A major challenge that organizations face in regards to Okta is enrolling users with an already active LDAP system in place.
Okta has become a de facto solution to authenticate users for modern web applications, but many aren’t sure how to use it for other applications such as Wi-Fi and VPN network authentication. Okta doesn’t natively support LDAP, but luckily there are some ways to achieve LDAP level authentication while still using Okta.
What is LDAP?
Lightweight Directory Access Protocol, or LDAP, is an authentication protocol that enables an entity to look up data stored in a server. The “data” can be any information about organizations, devices, or users stored in directories. LDAP is the protocol used by servers to speak with on-premise directories. One common example is a RADIUS server using it to communicate with a directory to authenticate users for Wi-Fi and VPN access.
Okta LDAP Agent For On-Premise Servers
Okta developed a lightweight LDAP agent in 2015 as a means to support organizations with LDAP servers. The Okta LDAP agent allows delegated authentication, meaning users can authenticate to Okta using their local LDAP credentials without replicating those credentials to anything on the cloud.
The agent can also enable a host of other applications:
- Users and groups can be automatically imported from LDAP to Okta
- Any changes made in LDAP can auto-sync to Okta and vice versa
- Automated provisioning of LDAP users can be done via the agent
- Okta’s self-service reset flow process handles end-user password change requests without IT
The Okta agent can be a viable option for organizations who want to keep their on premise server while having some features migrated to the cloud. There are however some known feature limitations:
- No Group Password Policy
- No Per-instance Delegated Authentication
- No Group Push
More so maintaining an on-premise server, along with your Okta directory in the cloud, can be time consuming and expensive, especially while keeping an LDAP expert ready and available for maintenance. Luckily, there are solutions out there that don’t require you to host and maintain two servers, which we will discuss next.
Replace LDAP With Certificates Based Authentication
Historically, LDAP security was imperative since there weren’t any alternatives for the storage and retrieval of sensitive information for network authentication. However, standard LDAP traffic is not encrypted, leaving it vulnerable to cyber attacks. More so, organizations that are using LDAP are using credential-based authentication, which puts organizations at high risk for Over-the-Air Credential theft. This method is a bit antiquated and leaves much to be desired in terms of overall security.
Today, digital x.509 certificates have replaced credentials as the go-to authentication mechanism for many applications. Certificates also eliminate the need for LDAP, as you can easily create a SAML application in Okta to authenticate and enroll users for unique certificates. In the past, certificates were only used by large entities with high security requirements., However, with the increase in cyber criminal activity and the advancement in data theft techniques, (and significant advancements in certificate and cloud technology) certificates have become the quintessential method for network authentication.
Certificates provide a substantial upgrade to network security and user experience as their proper usage can eliminate the threat of Man-in-the-Middle attacks and password-based headaches. With SecureW2, you can easily replace LDAP with our fully equipped managed PKI. We provide everything an organization needs to use digital certificates to automatically authenticate to a network securely.
SecureW2 offers a turnkey Cloud PKI solution, Cloud RADIUS Service, and the industries #1 rated certificate delivery platform that can be integrated into any environment and enable certificate-based authentication in a matter of hours.
Stronger Security with Certificate-based Authentication
While LDAP is widely used for enterprise organizations, Okta users may find it frustrating trying to leverage their current servers due to spending far too much time and money.
Luckily, SecureW2 works with all SAML-based Cloud Identity Providers including Okta, so you don’t have to worry about any headaches associated with the integration process. If you’re ready to make the transition to secure and easy to use certificates, check out our pricing here to see if we can be of service.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Eytan Raphaely. Read the original post at: https://www.securew2.com/blog/ldap-authentication-okta/