Single Sign On for Intranet users and MFA over LDAP for users outside intranet
This solution provides requirements when you want to perform Single Sign On (SSO) for a user who is present inside Intranet Network and if the user is present outside intranet network he / she must be authenticated using LDAP / WordPress credentials and on top of that Two Factor(2FA) / Multi Factor Authentication(MFA) is performed before Login is successful.
The first case when a user is present inside an Intranet network:
This can be achieved using Kerberos NTLM SSO protocol. Kerberos is an authentication protocol that supports the concept of Single Sign-On (SSO). It is a cryptography-based authentication protocol that is designed to provide secure authentication over an insecure network by allowing users to authenticate while preventing passwords from being sent over the internet. For more details regarding Kerberos Protocol you can check out our guide.
The second case is when a user is not present inside the intranet network and wants to access the website:
This can be done using reverse proxy. The user is provided with a proxy server URL. Once the user clicks on the proxy server URL the user will be able to access the actual WordPress website. The user then needs to enter their LDAP / WordPress credentials. Once the authentication is successful a 2FA / MFA prompt appears after validating the user using 2FA / MFA the users will be able to access the website.
Scenario:
- You have an Active Directory / LDAP Servers which contain information of AD objects like users, computers, electronic devices, etc.
- You want to allow Active Directory users to SSO into your web application (WordPress website) when they are present in the Intranet Network.
- You want to allow users outside the intranet network to access the content of your WordPress website using LDAP / WordPress credentials with 2 Factor Authentication / Multi-Factor Authentication.
Components involved:
- WordPress Kerberos/NTLM Add-on allows the users to configure the Single Sign On (SSO) from LDAP Server / Active Directory using Kerberos protocol.
- miniOrange Reverse Proxy Server or On-Premise Reverse Proxy Server setup which will allow external users to access the WordPress website.
- miniOrange WordPress 2FA | MFA plugin allows you to perform 2 Factor Authentication or Multi Factor Authentication to verify users on login.
Solution:
In this setup, WordPress acts as a website / web application which is used by user to Single Sign On (SSO) using their LDAP/Active Directory credentials with Kerberos protocol:
- The WordPress Kerberos/NTLM add-on needs to be installed on the WordPress site for which you want to enable Single Sign On(SSO) along with WordPress LDAP/AD Login for Intranet Sites premium plugin.
- You will also need to completely configure WordPress LDAP/AD Intranet Premium Plugin beforehand.
- You will need to install and configure miniOrange WordPress 2FA/MFA plugin to authenticate users trying to access website from outside the Intranet network.
- Setup a reverse proxy server for your web server. You can choose between miniOrange reverse proxy server or an On-Premise reverse proxy server.
End user experience:
- After installing and configuring the WordPress LDAP/AD Login for Intranet sites premium plugin along with WordPress Kerberos/NTLM add-on, users can auto login (SSO) into your wordpress site without a need of entering their credentials from a domain joined machine (Inside local Intranet network).
- With this plugin and add-on, wordpress will directly fetch and update the user profile information from the Active Directory, whenever user auto logins to your website.
- If a user is trying to access the WordPress website outside the Intranet Network, they will receive a simple login form where they will enter their LDAP / Active Directory or WordPress credentials for authentication.
- For further validation of external users they will receive a 2FA / MFA prompt to authenticate and on successful validation users will be logged in into your WordPress Website.
Conclusion:
The miniOrange WordPress LDAP/AD Login for Intranet sites plugin along with miniOrange WordPress 2FA /MFA plugin, and Kerberos/NTLM add-on, offers a seamless user experience by authenticating users into your WordPress site who may be present inside or outside intranet network using their LDAP Credentials, and doubling down on security with 2 Factor / Multi Factor authentication for users outside intranet network.
Other Products:
LDAP/AD Login for Intranet Sites
LDAP/AD login for intranet sites plugin allows you to Login into a WordPress website using the credentials which are stored in your LDAP server/ Active Directory.
LDAP/AD Login for Shared Hosting
This plugin allows you to Login into a WordPress site hosted on a shared hosting platform using credentials stored in your LDAP server / Active Directory.
Staff/Employee Business Directory Search
The directory search plugin Searches and displays the users present in your Active Directory / LDAP Server on a WordPress page using a shortcode. The users are displayed on the fly.
WordPress Login and User Management
This plugin offers several functionalities, such as bulk user management, user redirection based on WordPress roles, user session management and many more.
Our Premium Add-on Catalogue
Additional Resources
To learn more about the plugin's features and add-ons, click here.
Need Help? We are right here!
