IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Extending SAML Authorization to Legacy Applications

Iboss 1.JPG

The Challenge

Organizations using Azure Active Directory via SAML improve their security posture for access to cloud applications. But what about legacy applications that they have on premises or may have moved to hosting in the public cloud? Many of those applications do not support SAML based identity. They often rely on legacy NTLM or Kerberos authorization for user access. These methods authorize access for an extended period of time and do not enable Zero Trust access where authorization needs to be done on a least privileged basis.

Organizations also want to be able to apply conditional access policies for resource access based on device risk posture or threat level and take action on each request.

The challenge and solution look like this:

iboss Extends SAML Authorization to Legacy Applications


The Solution

iboss forces SAML authentication to any non-SAML aware app resource by applying Azure
AD authorization on a per-request basis in compliance with Zero Trust principles.

iboss can apply different levels of authentication requirements for different

  • iboss can perform SAML authentication (SAML/OIDC) on legacy applications and services that do not support SAML authentication.
  • iboss can force SAML authentication for resources that require different identity providers.
  • iboss can associate each resource policy with a different Identity Provider (IdP) that can be used for authenticating users.

Because access is granted to resources through the iboss Zero Trust Edge, iboss can force SAML authentication even in cases where the protected resources have no ability to do so. This is because the SAML authentication is performed between the user and the iboss Zero Trust Edge before the connection is granted to the resource. This allows legacy applications and services to be protected by SAML authentication and comply with Zero Trust principles.

Resource policies can also be configured to require that multi factor authentication (MFA) be used before access to a resource is granted. If the resource policy requires MFA, the iboss Zero Trust Edge confirms that MFA was validated during the login process.

Benefits of Microsoft Azure AD and iboss for Authorization to Legacy Applications

  • Eliminates the need for legacy firewalls with shift to iboss Zero Trust Edge.
  • Eliminates reliance on Kerberos authentication, with shift to SAML authentication.
  • Lowers risk from reliance on legacy authorization’s lengthy session time outs which can result in high risk impact from unauthorized access.
  • Enables Zero Trust compliance from forced authentication on every packet, regardless of application.
  • Avoids the need to lift and shift legacy resources immediately in order to support Zero Trust Architecture.
  • Provides granular per resource control around applications.
  • Provides visibility into risk profile beyond just legacy user authentication.

View PDF Here
iboss is a cloud security company that provides organizations and their employees fast and secure access to the Internet on any device, from any location, in the cloud. The iboss SASE cloud platform provides network security as a service, delivered in the cloud, as a complete SaaS offering. This eliminates the need for traditional network security appliances, such as firewalls and web gateway proxies, which are ineffective at protecting a cloud-first and mobile world. Leveraging a purpose-built cloud architecture backed by 230+ issued and pending patents and more than 100 points of presence globally, iboss processes over 100 billion transactions daily, blocking nearly 4 billion malware threats per day. More than 4,000 global enterprises trust the iboss SASE cloud platform to support their workforce, including a large number of Fortune 50 companies. To learn more, visit