Skip to main content

Streamline and secure multiple IdPs and AD instances

Author: Vishal Gupta, VP of Product Management, Xage Security


Cybersecurity starts with identity—nearly every cyberattack abuses compromised access credentials. Organizations with industrial technology are faced with the challenge of managing multiple identity providers (IdPs) and Active Directory (AD) instances at different sites and layers, across IT, OT, DMZ, and the cloud. The burden of securing and managing a sprawling identity infrastructure quickly gets out of hand.

The Challenge Authenticating with Multiple AD Instances in Industrial Settings

It’s a security best practice to maintain separate AD instances across separate industrial sites and across IT, OT, and DMZ environments—and is recommended per NIST 800-82 best practices for OT cybersecurity. But those distinct instances make it extremely difficult to implement granular, organization-wide policies for controlling access to implement defense-in-depth best practices.

Plus, requiring admins to create and manage individual user identities for each user across all the Active Directories and corresponding logins for every remote site—and even for each layer within a site—quickly becomes unmanageable. It leads to either high operational cost due to chaining of AD joined jump servers or forcing global administrators to use a single Active Directory across all the sites to ease the organization-wide identity management. On one hand, lowering the security posture can open up multiple vectors for indicators of compromise (IoCs), and on the other hand convoluted access management across multiple ADs can quickly balloon the management burden on the administrators.  

Xage Supports Multiple IdPs and AD Instances

Xage Security unifies identity and access management into a single, simple interface. You can configure multiple AD instances across layers and sites, plus manage user privileges and access policies for the users for each of those ADs. That makes it easy for administrators to not only easily implement defense-in-depth, but also maintain separate AD instances not just across sites but also across different layers of security: one or more for IT, one or more for the DMZ, and another for operational technology (OT).

Key Benefits

  • Have a single distributed mesh integrated with multiple IdPs (LDAP, SAML) across the enterprise to allow seamless layered authentication with MFA.
  • Eliminate static and shared credentials. Use managed accounts and MFA managed at each layer to access assets in those layers, even when assets do not support IdP or AD.
  • Orchestrate asset visibility and access control across security zones and layers based on predefined policies based on zero trust principles so users can only see and access approved assets—customizable by layer or site.

Demo of Access Management with Multiple IdPs

See how it works in this demo video.

Identity-Based Access Management with OT in Mind

Features like supporting multiple IdPs and AD instances further strengthen Xage Identity-Based Access Management, widely deployed across industrial organizations. Protect your assets against common and potent methods of attack, including stolen credentials and the use of exploits against vulnerable systems.

Simplified Management for Multiple Active Directory Instances

Even if you have dozens of AD instances across multiple sites and layers, you can create customized, granular policies centrally in Xage’s browser-based management UI. You can create policies that control an individual user’s access privileges right down to the individual asset, and even the protocols they can use and the time periods during which access is allowed.

Administrators can create different policies across IT, DMZ , and OT layers. For example, a user who is already authenticated at the IT layer and can access IT assets could be required to authenticate again as they move into OT before they can see or access a PLC or HMI, as approved per policies in the OT environment. 

Xage enforces the principle of least privilege by default while simplifying access for end users. With Xage, users no longer have to remember dozens or hundreds of usernames and passwords to access the different assets their job requires them to work with each day. Xage handles it all, so the user can simply use Xage Single Sign-On (SSO) and pass an MFA challenge when needing to access assets in a separate site or domain. 

Follow Zero Trust Principles To Prevent Cyberattacks

Xage makes it simple to adhere to the principle of least privilege, granting each user only the bare minimum access privileges to the limited set of devices they need to achieve their goals. This thwarts attackers and prevents them from discovering adjacent targets and moving laterally in the event a user’s credentials are stolen.

With Xage, users are not automatically trusted across the entire environment after authenticating once. They must re-authenticate when accessing assets in new sites or layers managed using separate ADs. And every user’s activity is granularly logged, no matter which sites or AD instances they are authenticated into, so any suspicious activity is instantly available for security investigations.

Single Sign On for Industrial Organizations

Xage enables single sign-on for all sites mapped to the same identity provider. When a user logs into an operational site via the Xage fabric, they can only see the assets for the site they’ve authenticated to. They can then authenticate into other sites without leaving the Xage Fabric, and any assets they are allowed to access will become visible, per their privileges and admin-controlled policies.

Offline Authentication

Remote operational sites (think offshore wind farms, solar arrays in the desert, or aircraft carriers traveling across the sea), may have degraded, intermittent, limited, or high-latency internet connectivity. They can’t use authentication and authorization technology that relies on a cloud connection, because if the cloud isn’t reachable, it could render their assets unreachable. Even a technician physically on a ship at sea couldn’t log into its computer systems if their zero trust network access solution needed an internet connection and didn’t have it. 

Xage multi-AD authentication now allows administrators to configure site-specific Active Directory, which enables uninterrupted authentication and access control even if the site goes offline as the local AD would still be accessible from the Xage fabric node deployed locally in the site. Additionally, Xage’s advanced credential caching would further extend that uninterrupted access even if the local AD goes offline temporarily.

Get a Full Xage Demo