Identity & Access

MFA, SSO, and conditional access for cloud, on-prem, and legacy applications.

Included vendors

Overview

Why Identity & Access needs proper tools — and what that looks like.

Why it matters

Identity is now the perimeter. Remote work killed the network-based one. Every breach report for the last five years starts with a compromised credential — almost always one without MFA on something old that 'we were going to migrate.'

The VDI gateway, the RDP jump box, the legacy CRM with no SAML support — these are where attackers spend their time. The organizations that patch this systematically are the ones that don't appear in the quarterly breach headlines.

What good looks like

MFA on every VDI entry point, every RDP gateway, every legacy app — with the method chosen per risk profile, not by what's cheapest. SSO for the 40 line-of-business tools that never got modern auth.

Adaptive policy that tightens for privileged users and relaxes for low-risk ones. One identity provider as source of truth, federating to everything downstream. FIDO2 keys for admins and push MFA for everyone else, managed from one console.

Pitfalls without the right tools

MFA everywhere except the last mile — the legacy app, the vendor portal, the on-prem admin interface — which is exactly where the attacker lives. Helpdesk calls from users bouncing between six unrelated login screens, reusing the same password because it's the only way to function.

Audit findings every year for the same service account that never got rotated. A 'zero-trust' project that stalled because three apps couldn't be federated and nobody wanted to rewrite them.

What we deliver

Use cases

UC-01

MFA for VDI entry points

miniOrange MFA on RDP, AVD, Citrix StoreFront and Horizon Connection Servers.

UC-02

SSO for legacy apps

Adaptive auth for apps with no modern SSO support — header injection, form-fill, SAML bridge.

UC-03

Conditional access

Risk-based policies on device posture, geo, and time-of-day.

UC-04

Directory federation

Hybrid AD/Entra with consistent policy across cloud and on-prem.

Typical outcomes

What partners measure.

15+

MFA methods supported (TOTP, push, FIDO2…)

1 hr

Deploy MFA on RDP/AVD gateway

Any

App — SAML, OIDC, header, form, bridge

ISO27001

Compliance-ready out of the box

How we deliver

Our approach

01

Audit

Map your current AD and Entra directories, SSO apps and the set of legacy apps that never got modern auth.
02

Pilot

Deploy miniOrange MFA on one VDI gateway or Citrix StoreFront. Validate with 20 users across roles.
03

Roll out

Extend MFA to every VDI entry point + legacy app, using the right method per persona: push for staff, FIDO2 for privileged.
04

Operate

Quarterly access reviews, MFA method adjustments and policy tuning against new threat intel.

Questions we hear

FAQs

Can we put MFA on legacy RDP gateways that don't natively support it?

Yes. The miniOrange RDP gateway agent intercepts auth before the broker and injects a second factor — no RDP client or Windows-side change needed.

Does this work with Microsoft Entra ID as our identity source?

Yes. Native SAML and OIDC federation — Entra stays the identity store, miniOrange adds MFA and adaptive policy on top.

Are FIDO2 security keys supported for privileged users?

Yes. FIDO2 (YubiKey, Feitian) alongside TOTP, push, SMS, hardware tokens — 15+ methods, user-selectable per policy.

How do we SSO an internal app with no SAML support?

Three fallbacks: header injection for proxied apps, form-fill for browser-based auth, and a SAML bridge that wraps legacy protocols in a modern flow.

Vendors

Who we bring to this stack.

IAM & MFA

MFA, SSO, and adaptive access — including legacy and VDI gateways.

● Authorized View →

Ready to talk workloads?

Tell us what you're deploying — AVD, backup, endpoint, identity — and we'll map the right stack with local stock, licensing and support.

Request a quote Browse vendors