topic Re: Identity Awareness - Multiple Identity Sources AD + AzureAD in Firewall and Security Management

Identity Awareness - Multiple Identity Sources AD + AzureAD

HeikoAnkenbrand — Tue, 15 Oct 2024 11:43:03 GMT

Is it possible to use multiple identity sources to authenticate users with identity awareness?
Background to this question!

All users should be authenticated using the local AD and a firewall rule should be allowed accordingly.
If the user cannot be found in the local AD, the Azure AD (Entra ID) should be checked to see whether the user can be found there.
In this case, an AzureAD rule should also be activated for the affected user.

Is it possible to have multiple identity sources (AD + AzureAD) with IA at the same time?

If so, is there a PDF or a SK with a sample configuration?

Re: Identity Awareness - Multiple Identity Sources AD + AzureAD

PhoneBoy — Tue, 15 Oct 2024 18:09:59 GMT

With Local AD:

Identities are acquired from local AD via Identity Collector and/or Identity Agents
Gateways will calculate Access Roles via LDAP lookup to AD Server

With Entra ID:

Users must be authenticated via Captive Portal on the gateway
Groups are read as part of the SAML Assertion returned from Microsoft

It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.

Re: Identity Awareness - Multiple Identity Sources AD + AzureAD

HeikoAnkenbrand — Wed, 16 Oct 2024 08:43:02 GMT

That's what I thought. Thanks @PhoneBoy for the answer.

CUT>>>
It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.
<<<CUT