1. Field of the Invention
Embodiments of the invention generally relate to enhancing the security of authentication and authorization processes used by certain network devices and hosted applications, and more particularly to an identity broker configured to authenticate users to servers that use certain legacy protocols.
2. Description of the Related Art
User authentication and authorization has been (and remains) a central concern for computer security. Authentication generally refers to a process of verifying the identity of a user (or entity) requesting access to a computing resource. And authorization generally refers to a process of determining the access rights, roles, group membership, etc., of an authenticated user.
While some network devices and networked applications manage user authentication and authorizations directly, a large number of existing systems authenticate users by communicating with an external server according to a user-authentication protocol. For example, many network devices may be configured to communicate with an external server to authenticate a set of credentials submitted by a given user prior to granting access to a computing resource (e.g., a VPN device allowing secure access to a private network). Two well-known user-authentication protocols include RADIUS and LDAP.
RADIUS, short for Remote Authentication Dial In User Service, is a networking protocol that allows users to connect to and use a network service. RADIUS operates as a client/server protocol, originally developed to authenticate users connecting to network services over telephone modems. A RADIUS server authenticates a user requesting access to a network device or hosted application by validating for a username and password submitted to the device requesting an authentication decision. That is, a RADIUS server responds to an authentication request with essentially a true/false message regarding the submitted credentials, such as a given username/password combination. Additionally, a RADIUS server can share certain accounting data with a network device or application (e.g., how much time a user has been (or is authorized to be) connected to a computing resource).
LDAP, short for Lightweight Directory Access Protocol, is a well-known protocol used to manage information about authorized users on a network such as names, phone numbers, and addresses. LDAP, like RADIUS, specifies a protocol for authenticating a user using a username/password combination. An LDAP server can also return a collection of attributes and/or security policies associated with an authenticated user (e.g., a list of groups which a user is a member).