This guide provides an introduction into some of the key solutions provided by the miniOrange Single Sign On server to secure your Windows infrastructure, some of them being able to authenticate into connected applications after you are logged in to your Windows domain, adding a 2nd layer of authentication when you are gaining access to protected resources through a VPN or a Remote desktop server, etc.
In any of the above cases, LDAP is a significant aspect since it has the advantage of consolidating the information for an entire organization into a central repository. miniOrange provides a wide range of solutions for LDAP, such as LDAP Proxy/Gateway, Support for multiple Active Directories as user stores, Active Directory Sync with the miniOrange server, etc.
Let's have a detailed look at the solutions.
You are logged in to your Windows system, and you want to log in to an application, say an on-premise app like Application Server ABAP or a cloud app like GSuite. Don't you get tired of logging in to each application with the same credentials every single time? Trust us, we can make it effortless for you.
miniOrange provides a solution which, once you are logged in to Windows, lets you Single Sign On into connected applications hosted both cloud and on-premise, given the applications are configured within the domain for SSO. You can configure intranet portals / applications like Google Apps, Office 365 etc. that will log you in automatically when tried to access.
miniOrange here, will install a component on the Windows Server that acts as an Identity Provider, which receives the request from the application requesting access, authenticates the user against LDAP and identifies if the user can be auto logged in to the app.
Some of the use cases & solutions involving LDAP are listed here:
miniOrange LDAP Gateway allows login to publicly/privately hosted sites using credentials stored in Active Directory, OpenLDAP and other LDAP servers. If the LDAP Server is not publicly accessible from your site, this module can be used in conjunction with the miniOrange LDAP Gateway, which is deployed at the DMZ server in the intranet.
LDAP as a proxy acts as a middleware layer between the LDAP client, eg. any CMS ( Wordpress for eg.) and the Active Directory, the LDAP Directory Server.
This lets you configure multiple Active Directories in miniOrange for authentication, and which Active Directory is to be used for authentication into which application.
Eg, You can configure AD1, AD2,....ADN as an authentication source for apps. With this, users in all these directories will be able to single sign on into all the apps.
When miniOrange is configured as an Identity Provider and LDAP is configured as an user authentication store, users from LDAP can be synced to miniOrange.
If a user is created in miniOrange, he can be created automatically in LDAP as well. In addition, you will have the ability to schedule a sync between LDAP and miniOrange. E.g. A daily sync at a specified time.
A noteworthy use case here is, You have a set of applications on your Windows system you want to SSO into after logging in to Windows, and the user credentials are stored in the Active Directory of the machine. We install an IDP component on the Windows server, that is responsible for SSO into the applications after Windows authentication. The users also have the provision to change their AD password in the miniOrange console and it would be synced to AD. There is also a directory sync tool that is extended with the LDAP gateway ( installed on the DMZ server in the intranet) that takes care of sync of users from AD to miniOrange. If the user tries to access the application from outside the system, he would be prompted for the credentials before he is allowed access.
If you are using a Virtual Private Network ( VPN ) to allow your users to connect over a public network, enhancing the security becomes a concern since users gain access to sensitive digital assets. miniOrange can be of great value here by providing 2-factor Authentication on top of VPN Authentication. This secures the access to protected resources instead of relying on only the VPN username / password.
miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.
The 2-factor authentication can be of two types depending on the VPN clients.
There are two types of authentication in this:
When users connect to a Remote Desktop Service, 2-factor authentication is essential to enforce high security protection of your business resources. Installing miniOrange 2-Factor Authentication for Windows Logon adds two-factor authentication to Windows login attempts over RDP.
The 2-factor authentication can be of two types depending on how the Remote App is launched.