Re: Salsa as authentication provider for Debian
Le 08/04/2020 à 17:28, Luca Filipozzi a écrit :
> reminder: I'm replying linearly and from what I know (keycloak, SAML and
> OIDC).
>
>
> On Tue, Apr 07, 2020 at 12:20:40PM +0200, Xavier wrote:
>> Le 05/04/2020 à 20:46, Bastian Blank a écrit :
>> I can help if you want to use lemondap-ng (LLNG:
>> https://lemonldap-ng.org https://tracker.debian.org/pkg/lemonldap-ng)
>
> Cool.
>
>> This requires to change all services. Using a SSO is easier here:
>> gatekeeper (KeyCloack) or handler (LLNG) permits to protect a web app
>> without having to change to many things. LLNG handlers are directly
>> included in Apache/Nginx configuration and provides HTTP-headers to the
>> web app.
>
> Or Apache modules like mod-auth-openidc (OIDC) or mod-auth-mellon
> (SAML).
Hi,
LLNG handlers are apache modules. The difference is that they don't only
manage authentication but also authorizations
>> Other way, LLNG is able to be a proxy between OAuth (OpenID-Connect) and
>> any other SSO-language (CAS, SAML, OpenID-2) or handlers. The portal
>> then becomes transparent
>
> Keycloak, as a broker, is similar. Service provider can be using one
> protocol and the identity provider another.
>
>> It's easy to integrate GitLab in SSO using SAML (or OIDC). It is perhaps
>> more safe to manage users elsewhere (custom app) and make GitLab a slave
>> of SSO system. LLNG provides a plugin engine for that.
>
> Gitlab can use OIDC for OmniAuth, so it can authenticate against any
> OIDC-compliant IdP, LLNG and Keycloak included.
>
>> NB: KeyCloak is free but this needs to stay in last version, else you
>> need a RedHat-SSO support. LLNG is totally free, written in Perl and JS;
>> and Debian has a lot of Perl-Gurus ;-).
>
> Redhat has the distinction (thankfully) of not following a 'freemium'
> model (at least for Directory389 and Keycloak). The features available
> in RedHat SSO and Keycloak are identical. Redhat SSO lags behind
> Keycloak but may include fixes not yet ported to Keycloak. Keycloak is
> also totally free and, yes, is written in Java.
>
>> I can give some accounts to demo platform: https://auth.openid.club/
>> [dev platform, so sometime broken...] or install an instance in a Debian
>> machine if you want to try it.
>
>
> Please work with Michael Lustfield (IRC MTecknology) as he is also
> interested in setting upa Debian-specific instance of LLNG.
With pleasure !
>> Resume of proposition:
>> * all users managed by SSO;
>
> Agree!
>
>> * self-registration authorized with "-guest"
>> in a distinct LDAP branch
>
> More thought required but don't disagree.
>
>> * GitLab becomes a slave of SSO using SAML (or OIDC)
>
> Agree!
>
>> * other applications are protected by handlers/GateKeepers. If LLNG is
>> chosen, just to add few lines in Nginx configuration
>
> Agree and/or mod-auth-openidc/mod-auth-lemon, etc.
>
>> * new applications can be protected using handlers, SAML, CAS, OIDC,...
>
> Agree but with order of preference being OIDC, SAML and... way over
> there, almost too distant to see... CAS.
Of course, old protocol.
Choosing between handlers and federation protocols depends on how we
want to manage authorizations:
* centralized authorization: handlers (authorization managed by manager
application, websites are filtered globally or using regxp on URLs
* managed in application: both way
This is the choice to do (both ways are possible simultaneously)
>> <as usual, sorry for my poor English>
>
> Very helpful response!
Thanks ;-)
---
/me has worked for 15 years on Identity and Access Management (IAM) topics
Reply to: