Re: Salsa as authentication provider for Debian
Hi. Speaking very much as an individual.
I just spoke to someone who runs a keycloak and gitlab instance for a
group of about 1000 users.
I wanted to inject their experience into the discussion, because having
operational experience is useful in such situations.
* The thing they like about keycloak is the same thing people have
mentioned here: it's a great identity broker. It's really good at
that, good at giving you all the options you might need.
* It works well with LDAP/AD/whatever account store you have.
* I was right. Gitlab can work as an identity broker. They
generally have people use keycloak to log into gitlab. However, there
is one common app where it was easier to set up that app to consume
gitlab than keycloak so they did.
* Gitlab is more limited in what it can do as an IDP or ID broker. If
it meets your needs, that's great; if not you may need something like
keycloak.
* Migrating from gitlab to keycloak should not be a problem provided
that you think about what you're going to use as primary keys so that
accounts remain linked across the migration on the consumer side.
* This organization does not use keycloak to host accounts. That is,
all the accounts are stored something else. There are no locally
created keycloak accounts.
* On the call, our suspicion is that gitlab is going to do a better job
of account lifecycle management than keycloak, but again, the
organization in question has not tried that with keycloak. It seems
that having local accounts in Keycloak is not one of its most polished
features. But again, this is a guess without explicit experience.
* Note that if you want to you can host accounts in gitlab and have
keycloak act as an OIDC consumer for gitlab. So, if you decide you
like Gitlab as an IDP but find you need Keycloak's transformations,
you can have people login to Keycloak using their Gitlab accounts.
* We did not discuss security. Neither of us had audited either
product.
--Sam
Reply to: