[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa as authentication provider for Debian

Le 07/04/2020 à 18:50, Sam Hartman a écrit :
>>>>>> "Xavier" == Xavier  <yadd@debian.org> writes:
> 
>     Xavier> Le 07/04/2020 à 17:20, Paul Wise a écrit :
>     >> On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote:
>     >> 
>     >>> ## Highlevel plan
>     >> 
>     >> I'd like to learn a bit about what the effects for Debian account
>     >> holders and service admins will be.
>     >> 
>     >>> - Salsa becomes primary source of user info and authentication
>     >>> for secondary services via OpenID Connect (OAuth2), for both DDs
>     >>> and non-DDs, replacing sso.debian.org.
>     >> 
>     >> It sounds like the answer is no, but does Salsa, Keycloak or
>     >> LemonLDAP::NG support TLS client certs?
> 
>     Xavier> LLNG and KeyCloack support TLS authentication, 2FA,... See
>     Xavier> https://lemonldap-ng.org/documentation/latest/start#authentication_users_and_password_databases
>     Xavier> for a complete list of LLNG supported authentication
>     Xavier> mechanisms
> 
> I authenticate using TLS to the SSO server.
> But then I use http redirects or JSON tokens to authenticate to the
> protected app, right?

Hi,

Yes or secured-cookie. OIDC or SAML share authentication level with
applications. With LLNG ≥ 2.0, you can restrict OIDC/SAML using a rule
(which can read auth level). Handlers applies the rule given by LLNG so
they can require a strong level or not

> llng does not end up being a short-lived CA like the current
> sso.debian.org

SSL handshake is done by portal web server, so you have the same
features than with any webserver
Reply to: