Re: Salsa as authentication provider for Debian
Le 07/04/2020 à 18:50, Sam Hartman a écrit :
>>>>>> "Xavier" == Xavier <yadd@debian.org> writes:
>
> Xavier> Le 07/04/2020 à 17:20, Paul Wise a écrit :
> >> On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote:
> >>
> >>> ## Highlevel plan
> >>
> >> I'd like to learn a bit about what the effects for Debian account
> >> holders and service admins will be.
> >>
> >>> - Salsa becomes primary source of user info and authentication
> >>> for secondary services via OpenID Connect (OAuth2), for both DDs
> >>> and non-DDs, replacing sso.debian.org.
> >>
> >> It sounds like the answer is no, but does Salsa, Keycloak or
> >> LemonLDAP::NG support TLS client certs?
>
> Xavier> LLNG and KeyCloack support TLS authentication, 2FA,... See
> Xavier> https://lemonldap-ng.org/documentation/latest/start#authentication_users_and_password_databases
> Xavier> for a complete list of LLNG supported authentication
> Xavier> mechanisms
>
> I authenticate using TLS to the SSO server.
> But then I use http redirects or JSON tokens to authenticate to the
> protected app, right?
Hi,
Yes or secured-cookie. OIDC or SAML share authentication level with
applications. With LLNG ≥ 2.0, you can restrict OIDC/SAML using a rule
(which can read auth level). Handlers applies the rule given by LLNG so
they can require a strong level or not
> llng does not end up being a short-lived CA like the current
> sso.debian.org
SSL handshake is done by portal web server, so you have the same
features than with any webserver
Reply to: