Authentication services are configured using Identity Providers (IdPs). Each IdP includes configurations for device registration, Client settings, and IP tunneling pools that will be applied at sign in.
The system supports authentication using external LDAP (AD), LDAP certificate, OIDC, RADIUS, and SAML identity providers (IdPs). These include standard enterprise IdPs such as Active Directory (AD). These can be used to authenticate users connecting through the client or Portal, headless clients, administrators, and for REST API calls.
The password user interaction also uses the IdP to (re)authenticate the user when the access controls in an Entitlement require it. When configuring a user interaction, you can specify a different IdP than the one used at authentication. When a SAML/OIDC provider is specified for this purpose, the authentication request could be issued through the browser which makes it is possible to utilize IdPs as an MFA provider in the AppGate ZTNA system.
Before you start
Information you will need before configuration:
Directory server connection details, certificate (for mTLS), and any search domain parameters.
DNS server IP addresses that the Client will use to resolve host names.
Pre-configure the following elements:
IP pools. Pre-configure each IP pool that you will associate with an identity provider directory. See the IP Pools section for more information.
Upload device claim scripts. For customized on-demand device claims, see the Device Claims Scripts section.
MFA provider. If you intend to mandate this then you must configure an MFA provider.
Trusted certificates. The directory server's certificate should be added to Trusted Certificates.
User directory/IdP. If you intend to use anything other than the Local user database:
LDAP/AD. Your server must support simple authentication, and it is recommended that the server is configured for encrypted communication.
OIDC. Configure your OIDC IdP first. For more information, refer to OIDC Identity Providers.
SAML. Configure your SAML IdP first. For more information, refer to SAML Identity Providers.
Background reading:
For more information on claims and database attributes, see the Mapping user claims section.
For more information on Scripted claims, see the Claims in detail section.
For information on name resolution, see the DNS and name resolvers section.
For full details on all the different Identity Providers, see the Authentication services section.
Use the Identity Providers page to:
Add new LDAP, LDAP Certificate, OIDC, RADIUS, or SAML IdPs.
Edit the built-in Connector, local, or service IdPs.
Configure AppGate ZTNA options linked to IdPs, such as IP Pools and MFA at sign-in.
When you are ready to configure identity providers, see the General IdP settings section to begin.
Action Buttons
Action buttons are accessed by clicking the three dots icon (
) to the right of each line item in the page or from the <Actions> button within the item. They are contextual, changing depending on the type of item and the state of the item. The Actions button for Identity Providers displays the following option:
Test User. Tests a user against the IdP once configured. This options is available only for IdPs that do not require some form of user interaction.
If AppGate ZTNA can successfully bind to the directory and the user name is valid, then the test results will show how attributes are mapped and available within Policies, Criteria Scripts, User Claim Scripts, Conditions, and Entitlement Scripts.
If any of the servers are unreachable, the test will fail and the results will list all errors with all servers including the server IP/hostname.
NOTE
Users may still be able to sign in, as the system is designed to failover to the next server if any are unreachable.
.png?sv=2022-11-02&spr=https&st=2026-04-17T01%3A22%3A24Z&se=2026-04-17T01%3A34%3A24Z&sr=c&sp=r&sig=%2BCvJNpNkCQ6v%2BVl6s7C1lF79xVWGJIcJ5pTV0ONgDeI%3D)