[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa as authentication provider for Debian

On Fri, Apr 10, 2020 at 11:48:22AM -0400, Sam Hartman wrote:
> * I was right.  Gitlab can work as an identity broker.  They
>   generally have people use keycloak to log into gitlab.  However, there
>   is one common app where it was easier to set up that app to consume
>   gitlab than keycloak so they did.

My point is that an SP shouldn't be an IdP nor an IdB. We should
separate these concerns.

> * This organization does not use keycloak to host accounts.  That is,
>   all the accounts are stored something else.  There are no locally
>   created keycloak accounts.

When operating as an IdB, there's always a local 'account'
represenatation in keycloak's DB. It contains the record that ties a
user to IdPs, and exposes a single user representation to to service
providers. A user might start their journey using a social identity and
then switch to a Debian identity. 

Debian LDAP
   |
   |
Debian IdP  --+ +-- Social IdP2
              | |
              IdB ----- Service Providers
              | |
Social IdP1 --+ +-- Social IdP3

(Sam: Above is an ASCII art diagram showing that Debian IdP and Social
IdPs would be tied into the IdB.)

That's different than enabling "local account", which we could leave
off. That would mean people would need a social identity to start with.

That said, keycloak does have a local user onboarding flow.

> * On the call, our suspicion is that gitlab is going to do a better job
>   of account lifecycle management than keycloak, but again, the
>   organization in question has not tried that with keycloak.  It seems
>   that having local accounts in Keycloak is not one of its most polished
>   features.  But again,  this is a guess without explicit experience.

I'd say that a proof of concept is needed.

> * Note that if you want to you can host accounts in gitlab and have
>   keycloak act as an OIDC consumer for gitlab.  So, if you decide you
>   like Gitlab as an IDP but find you need Keycloak's transformations,
>   you can have people login to Keycloak using their Gitlab accounts.

I reiterate my point that an SP being an IdP. I don't view using
Debian's Gitlab as an IdP to be a prudent move.

-- 
Luca Filipozzi
Reply to: