LDAP and LDAPS Integration

Lightweight Directory Access Protocol (LDAP) and its secure variant (LDAPS) can be configured as external authentication and authorization sources for user login to A10 Control.

When integrated with an OIDC-based Identity Provider (IDP), LDAP/LDAPS can support Multi-Factor Authentication (MFA) through an LDAP proxy server. The proxy intermediates LDAP authentication traffic and securely forwards it to the OIDC IDP for MFA enforcement, without requiring changes to the A10 Control application or the underlying LDAP directory.

Key Benefits

• Centralized user authentication and authorization through a single LDAP/LDAPS directory.

• Encrypted LDAPS ensures secure transmission of credentials and directory queries.

• MFA enforcement through an LDAP proxy integrated with external IDPs (e.g., Okta, Azure AD).

• Direct mapping of LDAP groups to A10 Control Access Groups for role-based access control.

Prerequisites

• An active Modular License with the Single Sign-On (SSO) entitlement.
• A LDAP/LDAPS directory server with user and group entries configured.
• A valid and accessible LDAPS server certificate must be available for upload. The certificate may be self-signed or issued by a trusted Certificate Authority (CA).
• Network connectivity between A10 Control and the LDAP/LDAPS server:

  • LDAP: TCP port 389

  • LDAPS: TCP port 636

• An OIDC integration set up with the LDAP proxy server for MFA enforcement.

Key Guidelines for LDAP Group Mapping

• Each LDAP group name must map to an Access Group that must exist in A10 Control. The names must match exactly (case-sensitive).
• Nested LDAP groups are not supported in A10 Control. For example, if a user is a member of Group1, and Group1 is a member of Group2, only Group1 will be considered.

• A user can belong to multiple LDAP groups:

  • If mapped to multiple access groups, the group with the higher access level takes precedence.

  • If two access groups grant the same level of access, one is chosen randomly.

  • To avoid ambiguity, configure exclusive group-role mapping on both the LDAP server and A10 Control.

Configure LDAP/LDAPS in A10 Control

When LDAP Authorization is enabled, access in A10 Control is managed by mapping LDAP groups to access groups, with each Access Group mapped to exactly one LDAP group (one-to-one mapping).

When LDAP is integrated through an OIDC-based proxy server (such as Okta or Azure AD), MFA is enforced by the proxy server before user access is granted.

Only Organization Admins have permission to configure LDAP/LDAPS with A10 Control.

After the LDAP directory server is configured, you must perform the following configuration steps in A10 Control:

1. Create LDAP access groups and map them to the IDP (LDAP) group using Manage Access Group.

   Ensure that the A10 Control access group name exactly matches the corresponding LDAP group name (case-sensitive).
   

2. Configure LDAP directory server attributes in A10 Control using Manage User Auth.

   If using LDAPS, upload the LDAPS server certificate. Although the certificate is uploaded per Organization, it is stored in a global truststore. As a result, the certificate applies across all Organizations, not just the one where it was uploaded.

3. For MFA enforcement, map LDAP groups through the IDP (proxy server).

   In your chosen IDP (for example, Okta or Azure AD), configure the Groups claim to include both LDAP-proxy groups and native IDP groups. This typically requires entering a custom expression or filter provided by the IDP.

   Examples

   • Okta - The integration process is the same as a standard Okta IDP configuration, except you must provide a custom Expression Value for the Group Claim:

     Field	Value
     Value type	Expression
     Value	Arrays.isEmpty(Groups.startsWith("<id>","",<n>)) ? Groups.startsWith("OKTA","",<n>) : Arrays.isEmpty(Groups.startsWith("OKTA","",<n>)) ? Groups.startsWith("<n>","",<n>) : Arrays.flatten(Groups.startsWith("<id>","",<n>),Groups.startsWith("OKTA","",<n>)) Replace id with the LDAP directory integration ID and n with maximum number of groups.

     For more information, see Okta Integration.

   • Azure AD - The integration process is the same as a standard Azure AD configuration for the Groups claim. You can include security groups or groups assigned to the application in the ID and Access Tokens. Optionally, apply a prefix filter (for example, a10-) to organize group claims for A10 Control.

     For more information, see Azure Active Directory Integration.

4. Test LDAP authentication and MFA (if configured).
   1. Ask an LDAP user to log in to A10 Control with valid credentials and complete MFA verification (if applicable).
   2. After successful login, verify that the user is assigned the correct role by checking either of the following:
      • A10 Control home page > Profile icon > User Profile.
      • A10 Control home page > Organization > Users > Users tab, where the External User column is marked as Yes.