Multi-Factor Authentication (MFA) is a necessary component of a layered approach to application security. Unfortunately if a unique token must be issued by each application, the task of managing all those TOTP second factor tokens can become nearly as involved as managing passwords. Despite being widely regarded as a critical layer of security LastPass' 2019 Global Password Security Report found that only 57% of global businesses authenticate through MFA.
Regardless of whether your IdP lives on premises, in the cloud, or as a hybrid solution, ensuring that your users can authenticate securely and conveniently is critical. SSO is an effective way to implement a multi-factor authentication solution across all your applications, allowing your users to authenticate once, then securely and easily access many business applications.
There are two common approaches to deploying an SSO solution; integrate with one or migrate to one. Providers such as Okta have risen up to provide a solution for the most common approach out of these two paths: integration. Okta serves as an SSO front end to existing IdP solutions such as Active Directory. Integration enables organizations to securely and seamlessly provide a unified experience to their users both in the office and when working remote. ExtraHop has a detailed guide on implementing SAML with Okta.
But what about organizations without an existing identity provider or those looking to ditch on premises completely?
With the shift to cloud and shift to work from home it's obvious that the migration approach is growing in popularity, especially with young companies seeking to forge a path that will scale well.
JumpCloud can integrate, but they also offer a complete DaaS (Directory as a Service) solution, acting as both the identity and SSO provider. This option transfers the authoritative identities of the users from on premises to cloud native. JumpCloud offers a solution for MFA with TOTP tokens across Mac, Windows, and Linux operating systems, and LDAP, SAML, and even RADIUS services. Authentication through Duo or YubiKey as a second factor is also supported.
Many modern solutions, including ExtraHop Reveal(x), support both LDAP and SAML. Both remote authentication protocols can be implemented securely, making them both potentially good choices. The biggest difference is that LDAP was designed in the early 90s, long before public cloud, SaaS, and the need to support a remote workforce. SAML was created in the early 2000s and was intended to federate identities to web apps. Because SAML assertion happens as XML and is easily implemented as HTTPS, it doesn't require StartTLS or a special secure version of the protocol (LDAPS). Enabling MFA doesn't require deviation from the protocol specs—a necessary step to hold the connection open with LDAP because MFA was never intended. For these reasons, when both options are on the table, SAML is generally the better choice.
To help you configure JumpCloud as the IdP for Reveal(x) through SAML, we have a detailed guide with step by step instructions.
JumpCloud is free for the first 10 users, making it a great platform to test a cloud native SSO solution in your lab and see if SAML might be the right remote authentication option for your organization.