How does Portnox Cloud integrate with authentication repositories?

Authentication repositories supported by Portnox Cloud: Entra ID, Google Workspace, Okta, Active Directory, and OpenLDAP are all LDAP directories. LDAP stands for Lightweight Directory Access Protocol, which the protocol all these directories support when communicating with clients, in addition to their own repository-specific mechanisms. That is why in Cloud, these authentication repositories are sometimes referred to as LDAP directories.

When you integrate Portnox Cloud with one of these directories, we use either LDAP or repository-specific mechanisms (depending on the repository) to read all the information in these directories, but Portnox Cloud does not have the rights to perform any changes in the directory. The goal of the integration is for Cloud to know all the user/device identifiers (User Principal Names – UPN) and groups or organizational units that these users/devices are in, as well as to know their credentials (safely stored as hashes) for credential-based login. This is all that Cloud requests; it does not need to access any other data such as personal information, email aliases, etc.

Once Portnox Cloud has the list of users/devices and groups/org units, the Cloud administrator can then assign these repository groups or org units to Cloud groups. This means that if user kosh is in the Entra ID group Ambassadors, and you align the Entra ID group Ambassadors with a Cloud group B5-Ambassadors, Kosh will have access rights as defined in the B5-Ambassadors group in Cloud.

When a user or device attempts to connect to the network protected by Portnox Cloud, and the NAS device contacts the Cloud RADIUS server, Cloud does not access the authentication repository directly. It checks if there is a Cloud LDAP account for that user/device. If there is, it follows the access rights as defined in the Cloud group that this Cloud account is assigned to.

Portnox Cloud periodically synchronizes the list of users/devices/groups/org units with the authentication repository to reflect any changes made there, such as new users/devices that you added, users/devices that you removed, or users/devices that you moved between groups. If differences are found, the behavior of Cloud depends on several settings:

  • If Portnox Cloud finds that some users were deleted from the authentication repository or they were moved to other groups or organizational units in the directory:

    • If your tenant has the synchronization remapping safeguard enabled for the authentication repository (currently this option must be enabled or disabled with help of support), Portnox Cloud generates an alert, but follows up with the same changes in Portnox Cloud LDAP accounts after a 24-hour safety period.

    • If the synchronization remapping safeguard is not enabled, Portnox Cloud immediately makes the same changes in its LDAP accounts.

    The safeguard exists to make it less likely to accidentally remove a large number of users due to, for example, poorly planned changes in the directory structure.

  • If Portnox Cloud discovers there are new users in your authentication repository, who are assigned to groups that are already mapped to Portnox Cloud groups, it must create LDAP accounts for these users. However, there are some options to prevent that, in the unlikely case that you do not want any new users accessing the network:

    • If you use credential-based authentication without AgentP, the behavior depends on the Enable automatic LDAP-based device onboarding checkbox in the Portnox Cloud group. If this checkbox is active, Cloud will automatically create a new LDAP account the first time a new user in any group accesses the Cloud-protected network. If the checkbox is not active, the new user will be denied access, even if they provide correct credentials, because no LDAP account can be created.

    • If you use certificate-based authentication without AgentP, the behavior depends on the following global checkbox: Settings > Services > GENERAL SETTINGS > Agentless auto-onboarding with certificates > > Allow auto-onboarding with certificates. If this checkbox is active, Cloud will automatically create a new LDAP account the first time a new user in that group accesses the Cloud-protected network. If the checkbox is not active, the new user will be denied access, even when using a valid certificate, because no LDAP account can be created.

    • If you use AgentP, the Portnox Cloud LDAP account is created during AgentP onboarding of the new user. If you use self-onboarding, the Portnox Cloud LDAP account is created when you request the self-onboarding certificate for the new user. In both these cases, there is no option to deny access to a new user in the group.