In April 2020, just as the coronavirus pandemic was gaining ground, most organizations were forced to implement a remote workforce. Many of them had some experience with a portion of their workforce being remote. But the scope of change brought on by COVID-19 was unprecedented.
Organizations adjusted to nearly all their office workers logging in remotely. This dramatic expansion of remote work has caused several issues. Lack of infrastructure to support users was one. Another was less obvious initially, being the lack of Single Sign-On (SSO) for all enterprise applications. This put a spotlight on security issues that needed to be resolved.
Finance records and legal documents were never meant to be accessed outside the local network. But they were now open to remote access. NDA documents, usually only accessed behind the firewall, now needed to be accessed from home offices.
Compounding issues, organizations significantly increased their usage of cloud services and online tools to boost productivity or simply add new functionality.
It has become progressively more difficult to manage, maintain and keep track of all those credentials.
Security Assertion Markup Language (SAML)
This is where Security Assertion Markup Language (SAML) comes in. The SAML protocol lets users prove their identities across multiple applications, with just one set of login credentials. It was ratified in 2002 by the Organization for the Advancement of Structured Information Standards (OASIS). It pulled together several existing standards.
At its core, SAML allows Identity Providers (IdPs) to store user identity data and authenticate those users to other applications, using public-key cryptography. For developers, this means SAML lets users log in to their applications without using passwords.
However, you still need an IdP to handle authentication and authorization. An IdP can be a cloud-based identity service or an internal enterprise resource like Active Directory.
Meanwhile, a Service Provider (SP) is the application a user wants to access like Salesforce or Slack. If the IdP can authenticate the user, the SP will let the user in.
Benefits of SAML Authentication
Improved User Experience. Users only need to sign in one time to access multiple service providers. This allows for a faster authentication process and less expectation of the user to remember multiple login credentials for every application.
Increased Security. SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity information to the service providers. This form of authentication ensures credentials are only sent to the IdP directly.
Loose Coupling of Directories. SAML does not require user information to be maintained and synchronized between directories.
Reduced Costs for Service Providers. With SAML, you do not have to support account information across multiple services. The IdP bears this burden.
Enterprise applications with classic authentication approaches—many of which cannot be easily replaced or moved to the cloud for years to come—require modernization. That’s because most of these applications won’t or can’t support the modern authentication, authorization standards and protocols used by cloud-based Identity-as-a-Service (IDaaS) solutions.
Their inability to support modern authentication and authorization deprives users of the secure convenience of SSO, Multi-Factor Authentication (MFA) and conditional access. Additionally, many organizations lack the right in-house expertise needed to implement a suitable and secure solution to modernize these applications.
Problem Understood. How Can You Remediate It?
F5 Access Policy Manager (APM) simply and securely integrates with Microsoft Azure Active Directory to expand application SSO, streamline application access and enhance user experience and security. F5 APM federates user identity, authentication and authorization, bridging the identity gap between cloud-based (IaaS), SaaS (Software-as-a-Service) and on-premises applications.
Working together, Azure Active Directory and APM simplify the user experience for application access. It enables users to log in once and access all applications from a single location, regardless of where the applications reside—cloud-based (IaaS), as-a-service or on-premises.
When deployed together, F5 APM enables access security and SSO and extends Active Directory’s federation and security capabilities to all applications, including those that don’t natively support modern authentication and authorization protocols, such as applications using header-based or Kerberos. This solves a costly challenge for organizations worldwide and an access nightmare for users, while directly addressing an executive-level risk management concern.
As organizations connect APM to proxy Active Directory, they can apply advanced security capabilities, such as Azure AD (Active Directory) Conditional Access and provide end users password-less authentication to all applications. Migrating or spinning up new applications in the cloud is a time-consuming and costly undertaking. It can be daunting for an organization to migrate its existing applications to the cloud, while trying to launch new SaaS-based applications and substituting as-a-service solutions for other applications.
APM, alongside Active Directory, can ease on-premises application migration to the cloud. Instead of migrating all applications simultaneously, an integrated APM and Active Directory solution enables your organization to take a measured approach migrating applications to the cloud, delivering cost savings, allowing them to learn as they migrate, and avoiding pitfalls by trying to do too much at once.
Leveraging the ability of an integrated APM and Active Directory solution, enabling user access to applications, wherever they may be located, allows organizations to take a more systematic approach to application cloud migration.
F5 Access Policy Manager (APM)
APM is an identity-aware proxy (IAP), supplying authenticated and authorized secure access via Active Directory to specific applications, regardless of their location. APM integrates with Active Directory, which delivers a root of trusted identity. Together, they enable authentication of users and their devices and authorization to the applications they are allowed to access.
Leveraging powerful context-aware policy management, APM extends granular application access control to Active Directory users. This application-level access control allows requests for application access to be reviewed, authorized or terminzted based on prescriptive policies.
APM and Active Directory, when deployed together, are powerful allies integrating trusted identity and application within zero-trust architectures. They effortlessly work together, delivering support for modern authentication and authorization protocols, such as SAML, OAuth and OpenID Connect (OIDC).
The combined solution enables delegated authentication and authorization capabilities. The configuration of APM as a service provider or resource server in front of applications, providing access to on-premises applications and Active Directory as the authorization server, enables application programming interfaces (APIs), native applications and mobile applications to delegate authorization functions to a trusted party. This eliminates the complexity and cost of implementing discrete systems.
Okay, great. That’s all I need, right? Almost.
Microsoft Azure Active Directory
Making all this work still requires a look at our old friend Microsoft Azure Active Directory.
Setting up a new Active Directory is an easy task. You download and install Windows Server, install required roles, and in four hours or less you have a basic Active Directory setup.
In an ideal world that would be it. And your only task would be to manage users, computers and groups. Then, occasionally create some Group Policies. Unfortunately, things with Active Directory are not so easy.
Active Directory is an entire ecosystem. It supports small companies with 10 users to global organizations with 500,000 users or more. When you scale Active Directory by adding more servers and domains, things can get quickly complicated.
At first glance, while things may appear to work correctly, in practice, they may not. That’s why, as an administrator, you need to manage Active Directory in terms of its health and security.
Seems easy, right? Not quite.
While you may think you’ve done and checked everything, there’s always something missing. Unless you have instructions for everything and can guarantee they stay the same way as you left them forever, it’s a bit more complicated.
That’s why Microsoft delivers you tools to troubleshoot your Active Directory, such as dcdiag, repadmin, and some others. They also sell monitoring solutions, such as Microsoft SCOM, which can help and detect when some things happen in your Active Directory while you were gone.
Unsure about where to get started? System Soft Technologies can help you modernize authentication with an Active Directory Health Check. Once your health check is complete and any identified showstoppers remediated, we work directly with F5 Networks professional services to get you started using F5 APM.
Need to learn more? Attend our free webinar at 2PM ET on Thursday, May 20. Co-hosting with F5 Networks, we will demonstrate F5 APM and provide practical recommendations and techniques.
[Attend the webinar: Modernizing Legacy Applications for a Zero Trust World]
About the Author: Don Bilbrey
Don Bilbrey serves as Senior Cloud Architect at System Soft Technologies. Don, a technology nerd, knows his stuff when it comes to systems and storage solutions. He’s a people person, too. He displays his humor and wit, as he energetically manages the service delivery needs of large enterprise customers.