Rublon

Secure Remote Access

Last updated on September 1, 2025

MFA for LDAP is a way to protect your LDAP users with Multi-Factor Authentication by introducing an extra layer of protection during application logins. LDAP MFA requires all LDAP users to provide at least two authentication factors each time they sign in to an application. The first factor is usually their password. The second factor is one of the multiple secure authentication methods. MFA for LDAP stops hackers who have your password and denies them access to your accounts.

What is LDAP?

LDAP is a protocol you can use to read directory servers, such as Microsoft Active Directory or OpenLDAP, over a network. A Service Provider uses the LDAP protocol to communicate with an Identity Provider (such as Active Directory). The result of the communication is a successful or unsuccessful authentication of a user. You can add Multi-Factor Authentication (MFA) to the authentication process to introduce an additional security step to the authentication of your users.

LDAP Protocol vs. LDAP Server – Clarification

The LDAP protocol is a protocol used for reading and modifying directories. On the other hand, an LDAP server is any server you can use as a directory server, such as Active Directory, OpenLDAP, FreeIPA, OpenDS, and Apache Directory Server.

How to make the LDAP Protocol More Secure?

You can wrap the LDAP protocol in TLS/SSL. LDAP wrapped in TLS/SSL is called LDAPS.

However, if you want to improve the security of your users’ logins, you have to think in terms of making the whole authentication process more secure. You can add an extra layer of protection to the default password-based authentication of your users to considerably improve their security and reduce the likelihood that their accounts will be compromised.

We call the extra layer of security a second factor. The authentication process that uses two or more factors (password is usually the first factor) is Multi-Factor Authentication (MFA).

But how does MFA work with LDAP?

How Does LDAP MFA Work?

There is no one set way in which MFA works with LDAP. Different security providers and MFA solutions can implement different protocols and technologies to make these integrations possible. Most solutions use open standards, but the way they work can still be slightly different. Let’s break down how a Multi-Factor Authentication (MFA) solution can work with the LDAP server and how and where it uses the LDAP protocol. We will be using Rublon Multi-Factor Authentication as an example.

Rublon MFA uses the LDAP protocol in many scenarios:

  • Remote Desktop Services + Active Directory – You can configure Rublon to verify user login and password against Active Directory during the first step of MFA for your Remote Desktop Services logins.
  • VPN + RADIUS + LDAP Server – You can configure the Rublon Authentication Proxy to verify user login and password against an LDAP server during the first step of MFA for your VPN logins
  • SSO + SAML + LDAP Server – You can configure the Rublon Access Gateway to verify user login and password against an LDAP server during Single Sign-On (SSO) logins to cloud apps.

Remote Desktop Services + Active Directory

The following diagram portrays how Rublon MFA works with Active Directory as the Identity Provider (IdP) for RDP logins.

Note the following:

  1. User opens Remote Desktop Connection and enters their username and password.
  2. The Remote Desktop Session Host checks the login credentials against Active Directory.
  3. If login credentials are correct, the Remote Desktop Session Host asks the Rublon API to send a Mobile Push authentication request to the user’s phone.
  4. Upon accepting the push, the user connects to the remote desktop.

VPN + RADIUS + LDAP

Rublon can protect your VPN connections with Multi-Factor Authentication (MFA) and accepts both RADIUS and LDAP servers (e.g., Active Directory) as IdP.

Refer to MFA for RADIUS for a detailed diagram.

SSO + SAML + LDAP

Rublon can protect your cloud applications and enable flexible Single Sign-On (SSO) using the SAML 2.0 algorithm. Both RADIUS and LDAP servers are supported.

Refer to MFA for SAML for a detailed diagram.

How Do I Enable LDAP MFA For My Users?

Enabling MFA for your LDAP users differs depending on the service you want to protect. Rublon Multi-Factor Authentication can protect your LDAP users logging in to Remote Desktop Services, VPNs, and cloud applications.

How to Enable LDAP MFA for Remote Desktop Services?

Rublon allows you to enable robust Multi-Factor Authentication (MFA) for your Active Directory users who log in to Remote Desktop Services such as RDP, Remote Desktop Gateway (RD Gateway), Remote Desktop Web Access (RD Web), and Remote Desktop Web Client (RD Web Client).

Enable MFA for Remote Desktop Services

How to Enable LDAP MFA for VPNs?

If you would like to enable Multi-Factor Authentication (MFA) on one or more of your VPNs, you can achieve that with the Rublon Authentication Proxy.

The Rublon Authentication Proxy supports LDAP servers (such as OpenLDAP and Active Directory) as identity providers.

Here’s a step-by-step guide:

  1. Deploy and configure the Rublon Authentication Proxy to connect to your LDAP server.
  2. Find the integration instructions in our documentation.
  3. Follow the instructions and integrate your service with the Rublon Authentication Proxy.
  4. Repeat steps 2 and 3 for any number of RADIUS-Compatible services you want.

Enable MFA for VPNs

How to Enable LDAP MFA for SSO and SAML Applications with an LDAP server as your identity provider?

Suppose you would like to have the following set-up:

  • Multiple cloud apps configured for Single Sign-On (SSO)
  • Multiple cloud apps protected with Multi-Factor Authentication (MFA)
  • The login credentials for the first step of MFA verified against your LDAP server, such as Active Directory or OpenLDAP

Rublon can satisfy these requirements. Refer to MFA for SAML for more information, including a diagram and deployment instructions.

Enable MFA for SSO

Related Posts