Azure Active Directory

Before You Start

Overview

In this article, you’ll learn how to integrate your Azure Active Directory with an Acreto Ecosystem. This process involves the following steps:

  1. Configuration of Azure AD
  2. Configuration of Acreto Ecosystem
  3. Providing an Onboarding Portal link to users

This feature is currently in beta mode.

Prerequisities

In order to integrate Acreto with Azure Active Directory, you will need:

  1. Active Acreto Ecosystem
  2. Azure Active Directory - Active Subscription is needed - but basic features are free
  3. Azure Active Directory Domain Services - Active Subscription is needed - ~$109.50/month/set

The Purpose of Azure Active Directory Integration

An Azure Active Directory integration allows your Acreto Ecosystem to utilize the user credentials stored in your Active Directory to connect to the Ecosystem using Acreto TLS Client.

It uses the LDAPS (LDAP Secure) protocol and the Domain Services which can be deployed on the Azure account to sync with AD passwords.

The LDAPS protocol is used to establish communication between the Acreto Ecosystem and the Azure Active Directory.

Administrators integrate with a Lightweight Directory Access Protocol (LDAP) directory to streamline the user login process and to automate administrative tasks, such as creating users and assigning roles. An LDAP integration allows the system to use it’s existing LDAP server as the master source of user data.

Typically, AD integration is also part of a single sign-on implementation.

How Does it Work?

The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration then reconnects with LDAP using the user’s DN and password.

In the diagram below, you can see the communication flow between some Employee (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem and Azure AD.

Communication flow between some Employee and Acreto Ecosystem and Azure AD
Communication flow between some Employee and Acreto Ecosystem and Azure AD

The integration never stores LDAP passwords on the Ecosystem.

The integration uses a read-only connection that never writes to the Azure Active Directory. The integration only queries for information.

How To

Configuration of Azure Active Directory

To configure your Azure Active Directory to work with Acreto, please:

  1. Configure secure LDAP for an Azure Active Directory Domain Services managed domain
  2. Enable password synchronization in Azure Active Directory Domain Services
    • If you followed the first tutorial and don’t use on-premises AD the synchronization (between your Azure AD and Azure AD Domain Services) will be enabled by default. However it is needed to reset the password of all current users. It can be done by expiring all the current passwords, or resetting them manually from the Azure AD Users View.

Configuration of Acreto Ecosystem

1.Log in to New or Existing Ecosystem

Show me how to Login and open Ecosystem [Play ▶]
  1. Create Security Policy

    Create a Security Policy that allows users to connect through your Identity Provider to reach all destinations.

    In beta mode, all users authenticated using Identity Providers belong to default profile group Profile Group 1. This will change in future versions.

    To simplify the initial configuration, we will create a policy that allows all traffic to be passed through the Ecosystem.

    You should customize the Security Policy to fit your needs once the Identity Provider setup is complete. It should be configured to limit access to network resources for each group (Profile Group).

    Security Policy

    Show me how to create the Policy [Play ▶]
  2. Add New Identity Provider

    To add a new Identity Provider, select Objects and Identity Providers from the left menu and then click on “Add New”.

    Add IdP

    Show me how to add identity provider [Play ▶]
    Show screenshot - part 1
    Show screenshot - part 2
  3. Fill the form with proper values:

    1. Name - descriptive name for this IdP
    2. Description - description of the IdP
    3. Identity Provider Type - in case of AD config choose one of two available options
    4. Host - domian or IP address of your AD server
    5. Port - 636
    6. Username - user that will be used to connection
    7. Password - password for the user account
    8. User Base DN - for Azure AD use OU=AADDC Users, DC=somedomain, DC=onmicrosoft, DC=com, for On-premise Windows Server AD CN=Users, DC=SOMEDOMAIN, DC=com

Base DN and other values may be specific for your custom configuration. Check proper configuration in the AD control panel.

  1. Save and commit your changes

To allow users, employees or team members (data-plane users) to authenticate in OpenVPN using Azure AD credentials, Acreto offers unique and individual URLs for every Ecosystem portal called Onboarding Portal.

  1. To access the unique URL to that portal, please click on Edit next to previously added IdP and scroll down.

    Onboarding Portal

  2. Then, click on the icon to copy the URL.

    Onboarding Portal

  3. Now, provide the generated link to your users.

End User Experience

When the End User or Employee opens the Onboarding Portal, the Welcome Page will be presented.

The Ecosystem Admin should share this URL with the End Users, ask them to open it, and then follow instructions.

Show screenshot - Onboarding Portal main page
Show screenshot - Onboarding Portal instructions

Frequently Asked Questions

  1. Active Directory included into Office 365 subscription sufficient for the integration?

    No, Office 365 subscription covers only the free Azure Active Directory.

    You need Azure Active Directory Domain Services which is an additional subscription from Microsoft.

  2. Why is it required to enable password synchronization in Azure Active Directory Domain Services?

    Enable password synchronization in Azure Active Directory Domain Services - As documented on Microsoft article Tutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain:

    Users (and service accounts) can’t perform LDAP simple binds if you have disabled NTLM password hash synchronization on your managed domain.

    Acreto uses LDAP simple binds, therefore NTLM password hash synchronization feature needs to be enabled.

    If you followed the first tutorial and don’t use on-premises AD the synchronization (between your Azure AD and Azure AD Domain Services) will be enabled by default. However it is needed to reset the password of all current users. It can be done by expiring all the current passwords or resetting them manually from the Azure AD Users View.

Summary

Thanks to Acreto and Azure Active Directory Identity Provider Integration, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

Also, Acreto Ecosystem Admin(s) can re-use any existing password and security policies that are already in place. For example, the Active Directory may already have account lockout and password expiration policies.

Next page: OKTA