Authentication services are configured using Identity Providers. Each IdP includes configurations for device registration, Client settings, IP tunnelling pools, etc that will be applied at sign-in.
The system supports authentication using external LDAP (AD), LDAP certificate, OIDC, RADIUS, and SAML identity providers (IdPs). These include standard enterprise IdPs such as Active Directory (AD). These can be used to authenticate users connecting through the client or Portal, headless clients, administrators, and for REST API calls.
The password user interaction also uses the IdP to (re)authenticate the user when the access controls set in an Entitlement requires it. When configuring a user interaction it is possible to specify a different IdP than the one used at authentication time. When a SAML/OIDC provider is specified for this purpose, the authentication request could be issued via the browser which makes it is possible to utilize IdPs as an MFA provider in the Appgate SDP system.
Before you start
Information you will need:
Directory server connection details, certificate (for mTLS) and any search domain parameters
DNS server IP addresses that the Client will use to resolve host names
Pre-configure the following elements:
IP pools: pre-configure each IP pool that you will associate with an identity provider directory. Refer to IP Pools for more information
Upload device Claims scripts: for customized on-demand device claims: refer to Device Claims Scripts
MFA provider: if you intend to mandate this then you must configure an MFA provider
Trusted certificates: the directory server's certificate should be added to Trusted Certificates
User directory/IdP configuration: if you intend to use anything other than the Local user database:
LDAP/AD: your server must support simple authentication, and it is strongly recommended that the server is configured for encrypted communication (i.e., SSL)
OIDC: configure your OIDC IdP first. For more information refer to OIDC Identity Providers
SAML: configure your SAML IdP first. For more information refer to SAML Identity Providers
Background reading:
Claims and database attributes, refer to: Mapping user claims
On-demand claims, refer to: On-demand Claims
Use of DNS and name resolvers
For full details on all the different Identity Providers, refer to: Identity Providers
Use the Identity providers form to:
Add new LDAP, LDAP Certificate, OIDC, RADIUS or SAML identity providers [IdPs]
Edit the built-in Connector, local or service IdPs
Configure Appgate SDP options which are linked to IdPs such as: IP Pools, MFA at sign-in, etc
Performing actions using the action buttons provided (See below).
Action Buttons
Action buttons are accessed by clicking the three dots to the right of each line item in the table or from the <Actions> button within the item. They are contextual, changing depending on the type of item and the state of the item.
Test User. Once configured, it may be possible to test a user against the IdP if there is a shown. This option allows you to enter a user name (and password) and test whether the user can be authenticated against the IdP This is only possible for IdPs that do not require some form of user interaction.
If Appgate SDP can successfully bind to the directory, and the user name is valid then the test will provide a list showing how the attributes map to the user-claims and the claim values that will be returned to the Controller. The test connection button will test the connections to ALL the servers specified. It will fail if ANY of the servers are unreachable.
NOTE
Users may still be able to sign-in as the system is designed to fail-over to the next server if any one is unreachable.
.png?sv=2022-11-02&spr=https&st=2026-04-17T00%3A03%3A22Z&se=2026-04-17T00%3A16%3A22Z&sr=c&sp=r&sig=mxwwdlT3Z7%2Ft1CR0epwWpesCejoCbQPYOhP9DpzroV4%3D)