Integrating Linux Infrastructure with IAM – Azure Entra ID: A Comparative Analysis

February 21, 2024 Amal Mammadov

Migrating n-premises infrastructure to the cloud often involves integrating existing Linux systems with cloud-based identity providers like Azure Entra ID (formerly Azure AD). This post explores various integration options, comparing and contrasting their strengths and weaknesses to help you choose the best approach for your needs.

Current State and Target Goals

Environment consists of approximately 200 VMs (mostly Oracle Linux 8, with a few pfSense firewalls) hosted in a data center. Access is currently managed via SSH certificates, with user management handled through Ansible Playbooks. We lack automated identity management.

Our target state is a unified identity platform using Microsoft Entra ID. We aim to achieve single sign-on (SSO) across all systems (Linux, Windows, and FreeBSD), with centralized identity management (user creation and revocation) through Azure.

Key Considerations

Integrating Linux/BSD systems with Entra ID requires leveraging supported authentication and authorization mechanisms. These typically include certificates, LDAP/Kerberos, and RADIUS. Therefore, any chosen solution must support one of these protocols.

Our evaluation criteria include:

Cost: Budgetary constraints.
Complexity: Ease of implementation and ongoing support.
Reliability/Sustainability: Long-term stability and vendor support (if applicable).
Scalability: Ability to accommodate future growth.

Available Integration Options

Here’s a breakdown of the most common integration methods:

1. Active Directory Domain Services (AD DS)

AD DS supports LDAP/Kerberos and integrates with a wide range of operating systems and network devices. It’s a well-established and proven solution. To connect our Linux VMs to Entra ID, we can use one of the following:

Azure AD Connect: Synchronizes on-premises AD DS with Entra ID.
- What is Microsoft Entra Cloud Sync? – Microsoft Entra ID | Microsoft Learn
- What is Microsoft Entra Connect and Connect Health. – Microsoft Entra ID | Microsoft Learn
Azure Managed AD DS: A cloud-based AD DS natively integrated with Entra ID.
- Overview of Microsoft Entra Domain Services – Microsoft Entra ID | Microsoft Learn
Authentication Path: User <<-> Linux Host <<-> AD DS <<-> Entra ID
- Join a RHEL VM to Microsoft Entra Domain Services – Microsoft Entra ID

2. FreeIPA

FreeIPA is an open-source IAM solution based on LDAP/Kerberos, similar to AD DS. It requires integration with Entra ID, either directly or through an AD DS server. This option might be suitable if Entra ID integration wasn’t a requirement. However, direct Entra ID integration appears complex and poorly documented.

Authentication Path:
- User <<-> Linux Host <<-> FreeIPA <<-> AD DS <<-> Entra ID
- User <<-> Linux Host <<-> FreeIPA <<-> Entra ID (Potentially, but limited documentation)
Resources:

3. Okta

Okta is a commercial IAM platform. Integrating it with our Linux systems would likely involve on-premises RADIUS connectors, which proxy authentication requests to Okta. This introduces an additional IAM layer and added cost. Direct LDAP/AD integration with Okta is also possible but requires additional LDAP servers. RADIUS over the internet is also a security concern.

Authentication Path: User <<-> Linux Host <<-> Okta RADIUS Agent <<-> Okta <<-> Entra ID
Resources:

4. Teleport

Teleport is a certificate-based access solution for SSH, Windows servers, Kubernetes, databases, and web applications. It can be deployed on-premises or in the cloud. Teleport agents are deployed on target systems. Entra ID integration occurs on the Teleport side. Users authenticate to the Teleport portal using Entra ID credentials and then access Linux hosts via the Teleport agent using certificates. Linux server logs won’t show Entra ID usernames directly. Teleport offers community and commercial editions.

Authentication Path: User <<-> Teleport Console <<-> Entra ID Login <<-> Linux Host (via Teleport Agent)
Resources:
- How Teleport Works: Basic Concepts | Teleport (goteleport.com)
- Teleport Authentication with Azure Active Directory (AD) | Teleport Docs (goteleport.com)

5. PAM Solutions (e.g., Thycotic, CyberArk)

Privileged Access Management (PAM) solutions provide comprehensive control over administrative access. While they can be used for Linux integration, they offer more features (password rotation, session logging, etc.) than we currently require. They can be complex to set up and maintain.

Authentication Path: User <<-> PAM System <<-> Entra ID or AD DS <<-> Linux Host
Resources: Integration with Azure Active Directory (Microsoft Entra ID) | CyberArk Docs

Comparison Chart

Solution	Pros	Cons
AD DS	Well-documented, well-tested, simple setup, simple authentication flow, commercial support	Requires AD server deployment (cloud or on-premises), commercial solution
FreeIPA	Open-source	Requires complex Entra ID/AD DS integration, limited documentation, community support
Okta	Well-documented, robust IAM features	Additional costs, redundant IAM, complex login flow, expensive, RADIUS security concerns
Teleport	Simple setup (managed service), multi-platform support, user-friendly interface	Relatively new, limited community edition features, commercial solution, doesn’t directly integrate Entra ID credentials into Linux systems
PAM Solutions	Strong security features, multi-platform support	Complex setup and maintenance, overkill for basic integration