Azure Secure LDAP and Third Party App

Craig Garland 236 Reputation points
2020-06-01T22:32:41.037+00:00

Hi Guys,

Hope some one can answer this question.

I have a third party application that support LDAP authentication but not 2FA/MFA. I was wondering if I could use Azure Secure LDAP to implement 2FA. This would require Azure Secure LDAP to response when a request was sent in the format of Username THEN password + OTP.

Most of the Article I have read about Azure Secure LDAP say that its design into integrate with other app and request the OTP separately.

If you know this can be done or even cannot be done can you let me know? Also if you have document on how to do it that would be great.

Thanks in advance.

Craig

Azure Active Directory Domain Services
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,760 questions
No comments
{count} votes

Accepted answer
  1. MrAzureAD 81 Reputation points
    2020-06-02T08:37:33.567+00:00

    Hi Craig,

    Neither ADDS nor Azure MFA can do this.
    However, I do not see that as a service limitation. The concept you are describing sounds to me quite retro:
    * User convenience would not be great (user instructions, behavior for different MFA methods, error reporting).
    * From a security point of view, it is a risk as MFA credentials pass through the application and could be caught/used somewhere else.

    I actually do not feel good anymore with letting users enter credentials into applications at all - and that is what is already happening with plain LDAP.

    My strong recommendation is to have a talk with your 3rd party vendor and ask if it is possible / on the roadmap to use modern protocols (OAuth, OpenID Connect, SAML).

    I know this can be hard sometimes ... but the line of arguments is pretty straight forward and any software vendor can hardly deny it.
    Also modern protocols give you a Single Sign-On possibility - both a security and a user convenience improvement.

    Greetings,
    Tobias

    No comments

1 additional answer

Sort by: Most helpful
  1. Craig Garland 236 Reputation points
    2020-06-02T22:26:16.02+00:00

    Hi,

    Tobais, thanks for you answer.

    Although I agree with what you are saying, I unfortunately need a solution now. As the user credentials are always being enter into the application it does not increase the risk. It has already been raised to the vendor to implement this.

    Originally I was hoping that there was some type of proxy server that could be placed in-front of the website that would managed Authentication before connecting to the website. Yet I cannot find any application of that type.

    Thanks
    Craig

    No comments