Authentication and Authorization play a vital role in ensuring uncompromised security when protecting access to the resources.
Authentication is the process of validating the identity of a user. This is to make sure that the user connecting to a system is allowed to do the same.
Authorization controls the access provided to the users. With authorization policies, you can indicate if the authenticated user is permitted to have access to a resource or not. For instance, on a protected resource, such as, saml.acme.com, you can restrict the access to users to use same.acme.com/admin page.
Avi Load Balancer supports various authentication and authorization mechanisms to cater to different use cases.
This section explains in detail the client traffic authentication in Avi Load Balancer. For Controller authentication, see User Authentication and Authorization in the VMware NSX Advanced Load Balancer Product Documentation.
The client authentication methods supported are as follows: LDAP authentication, SAML authentication, OAuth /OIDC, JWT validation. Avi Load Balancer also provides authorization policies on top of these to cater to authorization requirements.
LDAP is a protocol used for accessing a directory service, which provides a structured and organized view of an authentication system through a hierarchical, object-oriented database approach. Avi Load Balancer supports LDAP authentication for the clients accessing the virtual services. That is the applications hosted by NSX Advance Load Balancer virtual services.
Security Assertion Markup Language (SAML) is used for authentication between a service provider and an identity provider. NSX Advanced Load Balancer serves as a Service Provider (SP) to protect your load-balanced back-end HTTP/HTTPS applications. Avi Load Balancer supports SP-initiated SSO with third party identity providers (IdP). NSX Advance Load Balancer supports integration with various identity providers, including Okta, Ping Federate, OneLogin, Google, and Microsoft Active Directory Federation Services (ADFS).
Avi Load Balancer also supports client authorization through access tokens using OAuth. OAuth provides secure delegated access where the application can take actions or access resources from a server on behalf of the user without them having to share their credentials. This is accomplished by allowing the identity provider (IdP) to issue tokens to third-party applications with the user’s approval.
OIDC allows clients to verify the identity of the end user based on the authentication performed by an authorization server and obtain basic profile information about the end user in an interoperable and REST-like manner.
Being a client and resource server, Avi Load Balancer gets the authorization code from the end user, exchange the authorization code with the Access Token, validate the Access Token, allow the client to access the resource based on the token validation and authorization policies based on the claims.
JWT validation is the authorization method used to provide access to the protected resource based on a JWT issued by an authorization server.
The implementation of each of these authentication methods in Avi Load Balancer will be discussed in upcoming topics.
