How To Integrate Okta LDAP with Server Certificate Verification

Before You Start

Overview

In this article, you’ll learn how to enable your OKTA server certificate verification.

This process involves the following steps:

1. Downloading server certificate
2. Converting server certificate from cer to pem format
3. Uploading server certificate to Acreto Ecosystem

Prerequisites

To set up OKTA LDAP server certificate verification, you will need the following:

1. Active Acreto Ecosystem
2. OKTA LDAP server integrated with Acreto Ecosystem

The Purpose of Azure Active Directory Integration

An Azure Active Directory integration allows your Acreto Ecosystem to utilize the user credentials stored in your Active Directory to connect to the Ecosystem using the Acreto TLS Client.

It uses the LDAPS (LDAP Secure) protocol and the Domain Services, which can be deployed on the Azure account to sync with AD passwords.

The LDAPS protocol is used to establish communication between the Acreto Ecosystem and the Azure Active Directory.

Typically, AD integration is also part of a single sign-on implementation.

How To

Configuration of Azure Active Directory

To configure your Azure Active Directory to work with Acreto, please:

1. Configure secure LDAP for an Azure Active Directory Domain Services managed domain
2. Enable password synchronization in Azure Active Directory Domain Services
   • If you followed the first tutorial and don’t use on-premises AD the synchronization (between your Azure AD and Azure AD Domain Services) will be enabled by default. However, it is necessary to reset the password of all current users. It can be done by expiring all the existing passwords or resetting them manually from the Azure AD Users View.

Configuration of Acreto Ecosystem

1. Log in to New or Existing Ecosystem

2. Create Security Policy

   Create a Security Policy that allows users to connect through your Identity Provider to reach all destinations.

Provide Onboarding Portal Link to Your Users

To allow users, employees, or team members (data-plane users) to authenticate in OpenVPN using Azure AD credentials, Acreto offers unique and individual URLs for every Ecosystem portal called Onboarding Portal.

1. To access the unique URL to that portal, please click on Edit next to the previously added IdP and scroll down.

2. Then, click on the icon to copy the URL

Frequently Asked Questions

1. Is an Active Directory included in Office 365 subscription sufficient for the integration?

   No, Office 365 subscription covers only the free Azure Active Directory.

   You need Azure Active Directory Domain Services, which is an additional subscription from Microsoft.

2. Why is it required to enable password synchronization in Azure Active Directory Domain Services?

   Enable password synchronization in Azure Active Directory Domain Services - As documented in the Microsoft article Tutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain:

   Users (and service accounts) can’t perform LDAP simple binds if you have disabled NTLM password hash synchronization on your managed domain.

   Acreto uses LDAP simple binds; therefore NTLM password hash synchronization feature needs to be enabled.

   If you followed the first tutorial and didn’t use on-premises AD, the synchronization (between your Azure AD and Azure AD Domain Services) will be enabled by default. However, it is necessary to reset the password of all current users. It can be done by expiring all the existing passwords or resetting them manually from the Azure AD Users View.

Summary

Thanks to Acreto and Azure Active Directory Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

Also, Acreto Ecosystem Admin(s) can reuse any existing password and security policies. For example, the Active Directory may already have account lockout and password expiration policies.