Hybrid mode, directory via OpenLDAP and authentication via SAML?

(mark bradford) #1

Is it possible to have our Directory Type OpenLDAP and have authentication via SAML (Okta)? Within the Authentication Profile section, I see a section for Directory Type and and section for Authentication Type, but I am not sure if they are dependent or independent of each other. While reviewing the documentation on OpenLDAP, this is how authentication occurs, but I only want my directory (users) populated via OpenLDAP not authenticated.

(Scott Bullock) #2

Yes you can, SAML and LDAP are not mutually exclusive. Separating provisioning (LDAP) and authentication
(SAML) exactly as you describe is a relatively common mode of deployment mode.

(mark bradford) #3

Hi Scott, thanks for the quick reply. Looking at my options now, what would be the recommendation for directory type, Active Directory versus OpenLDAP. I believe I could use either, but not sure which to choose? Is one option preferred over the other?

(Scott Bullock) #4

If you’re running AD (most Common) then Active Directory would be the go. There’s some difference in the way LDAP queries need to be executed, so the mode selected should match what your LDAP server is capable of.

(mark bradford) #5

Scott,

Attempting to get this setup, but of course we want to lock it down. What zscaler IP (or range) will the request come form? I need to know this for the firewall rule.

(Scott Bullock) #6

The IP sites have this info, there’s one for each cloud. Here’s the one for zscaler.net, please change the domain to match the cloud you’re in.

https://ips.zscaler.net/