Re: Salsa as authentication provider for Debian

To: debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Luca Filipozzi <lfilipoz@debian.org>
Date: Wed, 8 Apr 2020 15:28:54 +0000
Message-id: <[🔎] 20200408152854.6ipylavpgcvli4ei@snafu.emyr.net>
In-reply-to: <[🔎] d58246e1-6d57-5e65-97eb-609dc0f5b3d8@debian.org>
References: <[🔎] 20200405184610.GA581270@waldi.eu.org> <[🔎] d58246e1-6d57-5e65-97eb-609dc0f5b3d8@debian.org>

reminder: I'm replying linearly and from what I know (keycloak, SAML and
OIDC).

On Tue, Apr 07, 2020 at 12:20:40PM +0200, Xavier wrote:
> Le 05/04/2020 à 20:46, Bastian Blank a écrit :
> I can help if you want to use lemondap-ng (LLNG:
> https://lemonldap-ng.org https://tracker.debian.org/pkg/lemonldap-ng)

Cool.

> This requires to change all services. Using a SSO is easier here:
> gatekeeper (KeyCloack) or handler (LLNG) permits to protect a web app
> without having to change to many things. LLNG handlers are directly
> included in Apache/Nginx configuration and provides HTTP-headers to the
> web app.

Or Apache modules like mod-auth-openidc (OIDC) or mod-auth-mellon
(SAML).

> Other way, LLNG is able to be a proxy between OAuth (OpenID-Connect) and
> any other SSO-language (CAS, SAML, OpenID-2) or handlers. The portal
> then becomes transparent

Keycloak, as a broker, is similar. Service provider can be using one
protocol and the identity provider another.

> It's easy to integrate GitLab in SSO using SAML (or OIDC). It is perhaps
> more safe to manage users elsewhere (custom app) and make GitLab a slave
> of SSO system. LLNG provides a plugin engine for that.

Gitlab can use OIDC for OmniAuth, so it can authenticate against any
OIDC-compliant IdP, LLNG and Keycloak included.

> NB: KeyCloak is free but this needs to stay in last version, else you
> need a RedHat-SSO support. LLNG is totally free, written in Perl and JS;
> and Debian has a lot of Perl-Gurus ;-).

Redhat has the distinction (thankfully) of not following a 'freemium'
model (at least for Directory389 and Keycloak). The features available
in RedHat SSO and Keycloak are identical. Redhat SSO lags behind
Keycloak but may include fixes not yet ported to Keycloak. Keycloak is
also totally free and, yes, is written in Java.

> I can give some accounts to demo platform: https://auth.openid.club/
> [dev platform, so sometime broken...] or install an instance in a Debian
> machine if you want to try it.

Please work with Michael Lustfield (IRC MTecknology) as he is also
interested in setting upa Debian-specific instance of LLNG.

> Resume of proposition:
>  * all users managed by SSO;

Agree!

>  * self-registration authorized with "-guest"
>    in a distinct LDAP branch

More thought required but don't disagree.

>  * GitLab becomes a slave of SSO using SAML (or OIDC)

Agree!

>  * other applications are protected by handlers/GateKeepers. If LLNG is
>    chosen, just to add few lines in Nginx configuration

Agree and/or mod-auth-openidc/mod-auth-lemon, etc.

>  * new applications can be protected using handlers, SAML, CAS, OIDC,...

Agree but with order of preference being OIDC, SAML and... way over
there, almost too distant to see... CAS.

> <as usual, sorry for my poor English>

Very helpful response!

-- 
Luca Filipozzi

Reply to:

Follow-Ups:
- Re: Salsa as authentication provider for Debian
  - From: Xavier <yadd@debian.org>

References:
- Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Xavier <yadd@debian.org>

Prev by Date: Re: Salsa as authentication provider for Debian
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread