The system supports authentication using external LDAP (AD), LDAP certificate, OIDC, RADIUS, and SAML identity providers (IdPs). These include standard enterprise IdPs such as Active Directory (AD). These can be used to authenticate users connecting through the client or Portal, headless clients, administrators, and for REST API calls.
The password user interaction also uses the IdP to (re)authenticate the user when the access controls set in an Entitlement require it. When configuring a user interaction it is possible to specify a different IdP than the one used at authentication time. When a SAML/OIDC provider is specified for this purpose, the authentication request could be issued via the browser which makes it is possible to utilize IdPs as an MFA provider in the AppGate ZTNA system.
In addition to these external IdPs, there are three built-in IdPs (which cannot be deleted):
Local. A built in database that is useful for setting up AppGate ZTNA system administrators.
Connector. A simplified IdP that is used by Connector Clients. For details, refer to the Connector section.
Service. A simplified IdP that is used by k8s service Clients. For details, refer to the k8s service Client section.
The choice of Authentication services is not directly exposed to the users of the system. Instead, Client profiles are generated that automatically configure the Client or device prior to the user signing in.
This section covers common information for configuring IdPs to provision access when using the AppGate ZTNA system.