Question

LDAP authentication alternatives

Forum|Forum|11 years ago
August 21, 2014
6 replies
26 views

Lutz
New Contributor

So I'm working with a company who is about to implement Casper. As of now they don't have any type of LDAP (AD or otherwise) in place.

Their centralized directory system is Okta and it actually works pretty well for them. All of their services are SAAS items like Google Apps, Box, Web Help Desk, etc. Because of this Okta works beautifully for them.

Caper brings some challenges though since LDAP is really the only built in directory plugin. While I could just add user names to inventory records, it wouldn't give users a way to enroll devices their own devices or Self Service. I could manually create a bunch of JSS users for local authentication but would prefer not to have 200 JSS users.

If I could tell Casper to query Okta for authentication or something when a user logs into Self Service or Self Enrollment, that would be ideal but not holding my breath.

Any creative thoughts or ideas?

+24

jarednichols
Valued Contributor
Forum|Forum|11 years ago
August 21, 2014

I believe Okta has some extensibility for working with AD and LDAP. I'd check their support folks.

Lutz
Author
New Contributor
Forum|Forum|11 years ago
August 21, 2014

I'm trying to avoid setting up LDAP though. They have the functionality to synchronize to a current AD setup.

+18

alexjdale
Contributor
Forum|Forum|11 years ago
August 22, 2014

Okta cannot support LDAP queries against their directory? That seems very limiting.

holed03
New Contributor
Forum|Forum|10 years ago
May 7, 2015

Disclaimer - I work for Okta

If I understand it correctly this requirement is so that employees/ users can SSO into Casper suite for self service Portal http://www.jamfsoftware.com/products/casper-suite/self-service/
I know that some customers have requested that Casper supports SAML - if it did then it would be straightforward to provide SSO from Okta to Casper for user SSO to the self service portal...

Okta cannot support LDAP queries against its own directory (we call it Universal Directory) at this time- we do support authentication calls to Okta made via our API however- would require a bit of API work

Another way that customers could integrate Casper with Okta is by using an Okta group to create an AD account for new Okta users. The password in AD would get syncronised with the Okta password. This integration is when Okta pushes to AD- typically a customer wouldn't be using AD for windows authentication in this case. AD is just something they want Okta or google apps accounts pushed out to to allow for integration with wifi or apps like Casper that can't be integrated with other method's.

At some point we'll be to provision Okta users to an LDAP as well- just not yet

So in summary how can customers integrate Okta and Casper right now:
Set up an an AD to support LDAPS authentication and use an Okta group to push an account to AD for every employee who accesses Casper. The password for the AD (actually the employee is asked for the password for the Casper Portal,) is going to be the same as their existing Okta password
Look at building a solution via API call to authenticate to the Okta authentication REST API
If you don't use an AD but you do have an existing LDAP then a) integrate Casper with that LDAP for authentication to the Casper Portal- users auth to Casper with their LDAP portal and b) integrate the same LDAP with Okta using Delegated authentication (users log into Okta using their LDAP password and can also do an LDAP password reset from Okta.)

in future:
Okta may allow customers to integrate applications like Casper directly with its own internal LDAP (universal directory) for authenticating user sessions in Casper etc
Casper may provide SAML integration support - and then Casper will be an application that Okta users can SSO to directly from their Okta user/home page