MFA for Generic LDAP Applications

Last updated on August 27, 2024

Overview

Rublon adds Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) to any application that supports the Lightweight Directory Access Protocol (LDAP). All generic applications that support LDAP applications can be integrated with Rublon MFA using the Rublon Authentication Proxy. The Auth Proxy acts as an intermediary between your LDAP-compatible applications and Rublon, ensuring that all authentication requests are secured with an additional layer of authentication.

The Rublon Authentication Proxy does not store user credentials. Instead, it connects to your existing LDAP directory service, such as Active Directory or OpenLDAP, to verify user credentials during primary authentication. This setup allows seamless integration with your current infrastructure while enhancing security with Rublon MFA.

Before You Start

Check the list of described Rublon Authentication Proxy integrations. Chances are, your application is already there. In that case, follow the instructions for that particular integration instead of this generic documentation for more detailed steps and screenshots.
Ensure the Rublon Authentication Proxy is installed and configured within your network. This is a crucial step to enable MFA for your LDAP-based applications.

Configuration

Follow these steps to enable Rublon MFA for your generic LDAP application.

Rublon Authentication Proxy

1. Install the Rublon Authentication Proxy. (See: Rublon Authentication Proxy: Installation)

2. Configure LDAP authentication in the Auth Proxy configuration file, allowing the Rublon Authentication Proxy to communicate with your LDAP directory service. (See: Configuring the Rublon Authentication Proxy as an LDAP Proxy Server)

3. Set up a read-only bind account in your LDAP directory service that the Rublon Authentication Proxy will use to perform user searches (access_user_dn & access_user_password). This account should adhere to the principle of least privilege, meaning it should only have the permissions necessary to perform its intended functions. The credentials for this account are used only within your internal infrastructure and are never transmitted to Rublon servers. (See: How do I find the Bind DN for the Active Directory user (access_user_dn in Rublon Auth Proxy config)?)

4. (Optional) Synchronize users from Active Directory, OpenLDAP, or another LDAP directory service using Directory Sync. (See: How to synchronize users from Active Directory using Directory Sync & How to synchronize users from OpenLDAP using Directory Sync)

5. After making the necessary changes, save the configuration file and restart the Rublon Authentication Proxy to apply the new settings.

LDAP Application

1. Now that you set up the Authentication Proxy for your LDAP directory service, you must integrate the Auth Proxy with your LDAP application.

2. Log in to the administrator panel of your LDAP application and locate the LDAP configuration section. Configure the LDAP connection details to point to the Rublon Authentication Proxy. While the names of tabs, options, and values may slightly differ from one application to another, the general idea behind the configuration is always the same.

3. Attempt to log in to your LDAP application. If the integration is successful, you will be prompted to complete Rublon MFA before gaining access.

Log in to Your Generic LDAP Application With Rublon MFA

After configuring the Rublon Authentication Proxy and your LDAP-integrated application, it is time to test your setup. The example below portrays logging into a generic LDAP application.

1. Initiate login to your application. You usually use a VPN client or your web browser for that.

2. Enter the login and password and complete the second factor such as Mobile Push, Email Link, YubiKey OTP, or SMS Link.