Remote Authentication and Authorization

A10 Control supports remote authentication and authorization through integration with external identity providers such as Okta and Azure Active Directory (Azure AD), directory services accessed via LDAP and LDAPS, and terminal-based authentication using TACACS+.

This integration enables secure Single Sign-On (SSO) and centralized user management, while A10 Control continues to enforce access through Role-Based Access Control (RBAC).

When remote authentication is enabled:

• The external identity provider, directory service, or TACACS+ server must be properly configured, including user accounts and group/privilege mappings.
• User credentials are not stored in A10 Control. Authentication and role-based access control are entirely managed by the external provider.
• Multi-Factor Authentication (MFA) may be applied if supported by the configured IDP. A10 Control does not enforce MFA directly when using remote authentication.

Authentication and Authorization Flow

• Authentication is performed by any one of the following external providers, and the credentials are validated by the remote server:

  • IDP (Okta or Azure AD)

  • Directory server (LDAP/LDAPS)

  • TACACS+ server

• Authorization is enforced by A10 Control.

After successful authentication, the IDP, directory, or TACACS+ server returns user profile attributes (such as group claims or access group mappings). A10 Control evaluates these attributes against its internal access group configurations to assign the appropriate roles and permissions.

Only Organization Admin have permission to configure remote authentication and authorization within A10 Control.

Configure Remote Authentication and Authorization

To enable remote authentication and authorization in A10 Control, perform the following steps:

1. Configure the Remote Authentication Server.

   • For IDPs (Okta or Azure AD) – Set up and configure the provider, including SSO settings, certificates, and group claims. For more information, see Okta Integration and Azure Active Directory Integration.
   • For LDAP/LDAPS – Configure directory connection settings, base DN, bind credentials, and group mappings. For more information, see LDAP and LDAPS Integration.
   • For TACACS+ – Configure TACACS+ connection details such as host IP addresses, port (default: 49), retries, timeout, and shared secret. TACACS+ server enforces role mapping via A10-Control-Access-Groups attributes for TACACS+ authorization. For more information, see TACACS+ Integration ☍.

2. Create Access Groups in A10 Control using Manage Access Group.

   Access groups define the operations a user can perform and the resources accessible within A10 Control. These groups must correspond to the groups or attributes returned by the remote provider:

   • Okta/Azure AD – Map the IDP group using Manage IDP Groups.
   • LDAP/LDAPS – Map the LDAP group name directly to the Access Group name (case-sensitive).
   • TACACS+ – Map TACACS+ attributes to Access Groups by configuring them in the TACACS+ server’s /etc/tac_plus.conf file.

   For more information, see Role-Based Access Control (RBAC).

3. Configure Provider Attributes in A10 Control using Manage User Auth.

   Specify the required IDP attributes (e.g., groups, amr, or LDAP DN) returned by the provider. These attributes are used by A10 Control to match users to the appropriate access groups.

4. Ask a test user to log in to the A10 Control portal with valid credentials for the chosen remote authentication method.

5. Upon successful login, verify the assigned role in:

   • User Profile (Profile icon > User Profile), or
   • Organization > Users > Users tab, ensuring the External User column shows Yes.

The following topics are covered: