Last updated on June 30, 2026
Overview
How does Rublon Authentication Proxy work?


Before you start
Install Rublon Authentication Proxy
Linux
Important
Windows
Note
Configure Rublon Authentication Proxy
Sections
Important
The second section, global, allows you to define general settings that may reference resources outside of the Auth Proxy, like OS environment variables.
Section: rublon
Note
Starting with Rublon Authentication Proxy 3.7.0, you can define multiple rublon sections by adding a number at the end of the name, like rublon2, rublon3, and so on (up to rublon9). For example, you can define rublon and rublon2:
rublon:
api_server: https://core.rublon.net
system_token: YOURTOKEN
secret_key: yoursecret
rublon2:
api_server: https://core.rublon.net
system_token: YOURTOKEN2
secret_key: yoursecret2
Then, in your proxy_servers or directory_sync section, you can choose which rublon section to use by setting the rublon_section option to the right name. For example:
proxy_servers:
- name: RADIUS-Proxy
type: RADIUS
radius_secret: secret_to_communicate_with_the_proxy
ip:
port: 1812
mode: standard
auth_source: LDAP_SOURCE_1
auth_method: email
rublon_section: rublon
- name: LDAP-Proxy
type: LDAP
ip:
port: 389
auth_source: LDAP_SOURCE_1
auth_method: email
rublon_section: rublon2
This approach allows you to define multiple applications of the type Rublon Authentication Proxy in the Applications tab of the Rublon Admin Console, and then have a few corresponding proxy server and Directory Sync configurations on a single instance of the Rublon Authentication Proxy.
Section: global
Section: log
Section: proxy_servers
General proxy server settings
RADIUS proxy server settings
LDAP proxy server settings
Section: auth_sources
LDAP source settings
Note: If you use Google Secure LDAP as an LDAP authentication source, the configuration differs slightly from a standard Active Directory or OpenLDAP setup and requires additional Google Secure LDAP-specific options, including TLS hostname verification and client certificate settings. For a full example and a detailed explanation of the Google Secure LDAP-specific parameters, see: Using Google Secure LDAP With Rublon Authentication Proxy.
Google Secure LDAP client certificate validation rules:
- Use either PEM pair (client_cert_path + client_pkey_path) or PKCS#12 (client_p12_path), but not both.
- client_cert_path and client_pkey_path must be set together.
- client_pkey_password requires client_pkey_path.
- client_p12_password requires client_p12_path.
RADIUS source settings
ENTRA source settings
You can configure Microsoft Entra ID as an authentication source for the LDAP Proxy. In this mode, the Rublon Authentication Proxy authenticates users against Microsoft Entra ID and exposes users and groups through a virtual LDAP directory.
| tenant_id | The Directory (tenant) ID of your Microsoft Entra ID tenant. The Rublon Auth Proxy uses it to connect to Entra ID for primary authentication and to read users and groups from Microsoft Graph. You can find this value in the Microsoft Entra admin center under Identity → Overview → Tenant ID. |
| client_id | The Application (client) ID of the Entra app registration. The Rublon Auth Proxy uses it to authenticate against Entra ID. The app must support the Resource Owner Password Credentials (ROPC) flow for user logins and have Microsoft Graph application permissions for directory reads when the LDAP Proxy simulates an LDAP tree from Entra data. |
| client_secret | The client secret of the Entra app registration identified by client_id. The Rublon Auth Proxy uses it as the application credential when calling Entra ID and Microsoft Graph. Store this value securely. It can also be loaded from an external secret source when global.secret_source is configured. |
| base_dn | The base Distinguished Name of the virtual LDAP directory that the Rublon Auth Proxy exposes for Entra ID. User and group entries returned by LDAP search requests are placed under this DN. This value does not need to match your real Active Directory naming. It defines the LDAP namespace that integrated applications see. Example: dc=entra,dc=microsoft,dc=com |
| access_user | Optional. The UPN or domain-qualified username of a service account that may bind to the LDAP Proxy without Rublon MFA. When a bind request matches this user, the Rublon Auth Proxy performs only primary Entra authentication and skips the MFA step. Use this for integrations that require a persistent LDAP bind (similar to an LDAP access_user_dn). Accepted formats: user@domain.com or domain.com\user. If omitted, all users must complete MFA. |
Section: hosts_whitelist
rublon: ...
proxy_servers: ...
auth_sources: ...
hosts_whitelist:
- 192.168.0.5
- 172.16.1.11
Section: directory_sync
Append Mode
“use_append_mode”: true
“append_mode_separator”: “,”
How does it work?
Non-PAP protocol for RADIUS communication
Note
High Availability
If you run multiple services protected using the Rublon Authentication Proxy and cannot afford an interruption in authentication performance, refer to How to Set Up the Rublon Authentication Proxy in High Availability Mode for step-by-step instructions on how to deploy the Auth Proxy in High Availabiltiy (HA) mode using a Load Balancer and two (or more) Proxy instances.
Start Rublon Authentication Proxy
Linux
Windows

Update Rublon Authentication Proxy
Linux
Windows
Uninstall Rublon Authentication Proxy
Linux
Windows
Troubleshooting
Related Posts
How to Set Up the Rublon Authentication Proxy in High Availability Mode
Configuring the Rublon Authentication Proxy as a RADIUS Proxy Server
Using Google Secure LDAP With Rublon Authentication Proxy
Authenticate LDAP and RADIUS With Microsoft Entra ID Credentials and MFA
Configuring the Rublon Authentication Proxy Secret Source – Environment Variables (env)
Configuring the Rublon Authentication Proxy Secret Source – Windows Credential Manager