Azure Secure LDAP and Third Party App

Craig Garland 286 Reputation points
2020-06-01T22:32:41.037+00:00

Hi Guys,

Hope some one can answer this question.

I have a third party application that support LDAP authentication but not 2FA/MFA. I was wondering if I could use Azure Secure LDAP to implement 2FA. This would require Azure Secure LDAP to response when a request was sent in the format of Username THEN password + OTP.

Most of the Article I have read about Azure Secure LDAP say that its design into integrate with other app and request the OTP separately.

If you know this can be done or even cannot be done can you let me know? Also if you have document on how to do it that would be great.

Thanks in advance.

Craig

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments
Accepted answer
  1. MrAzureAD 81 Reputation points
    2020-06-02T08:37:33.567+00:00

    Hi Craig,

    Neither ADDS nor Azure MFA can do this.
    However, I do not see that as a service limitation. The concept you are describing sounds to me quite retro:
    * User convenience would not be great (user instructions, behavior for different MFA methods, error reporting).
    * From a security point of view, it is a risk as MFA credentials pass through the application and could be caught/used somewhere else.

    I actually do not feel good anymore with letting users enter credentials into applications at all - and that is what is already happening with plain LDAP.

    My strong recommendation is to have a talk with your 3rd party vendor and ask if it is possible / on the roadmap to use modern protocols (OAuth, OpenID Connect, SAML).

    I know this can be hard sometimes ... but the line of arguments is pretty straight forward and any software vendor can hardly deny it.
    Also modern protocols give you a Single Sign-On possibility - both a security and a user convenience improvement.

    Greetings,
    Tobias

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Craig Garland 286 Reputation points
    2020-06-02T22:26:16.02+00:00

    Hi,

    Tobais, thanks for you answer.

    Although I agree with what you are saying, I unfortunately need a solution now. As the user credentials are always being enter into the application it does not increase the risk. It has already been raised to the vendor to implement this.

    Originally I was hoping that there was some type of proxy server that could be placed in-front of the website that would managed Authentication before connecting to the website. Yet I cannot find any application of that type.

    Thanks
    Craig

    0 comments