LDAP Authentication Proxy
Most, if not all your onprem applications use Active Directory for user authentication. If you can’t precisely control and limit who can request access to these applications, you face 2 security concerns. First, someone knowing a user password can easily impersonate that user, access their information, and make transactions on their behalf; if that application is available remotely, you won’t be able to trace who did it. Second, someone not knowing the user password can quickly obtain it by brute-forcing it (or block the user account if you implemented counter-measures).
Therefore, it is highly recommended that you enforce MFA on applications using AD for authentication when these applications can be accessed remotely or by groups of users that you don’t trust.
But what if these applications can’t be configured or modified to implement MFA? This is where inWebo’s LDAP proxy comes in handy. inWebo LDAP proxy (IWLP) is a tool to easily add MFA (2nd-step authentication) to legacy onprem applications that you wouldn’t easily be able to modify otherwise. You can achive this without touching these applications, without integration, and most inWebo user authentication methods are available.
inWebo LDAP MFA Proxy
The role of inWebo LDAP proxy is to transmit LDAP requests to the LDAP server or Active Directory. When an authentication request is returned successfully by the LDAP server, a request to authenticate the user on a trusted device is sent to the inWebo platform. The legitimate user then receives a notification on a previously registered authentication App, such as inWebo Authenticator for smartphones or desktops. By validating the request, the user triggers the authentication App to issue a One-Time Password and to send it to the inWebo platform. After verifying it, the inWebo platform informs the LDAP proxy of the successful step-up authentication. In turn, the LDAP proxy returns the user authorizations and attributes to the application.
The LDAP proxy has a few additional useful capabilities. In particular,
- It can be configured to only enforce MFA for users belonging to certain groups.
- It can be configured to encrypt usernames in the requests to the inWebo platform. This is an easy way to implement username aliasing, for example to achieve GDPR compliance.
How to activate inWebo LDAP proxy with your service
The implementation of inWebo LDAP MFA proxy is straightforward:
- Download and install the package from our developer website
- Configure the proxy (e.g. DN, paths, groups, service name and certificate…)
- Test and run it.