reminder: I'm replying linearly and from what I know (keycloak, SAML and OIDC).
On Tue, Apr 07, 2020 at 12:20:40PM +0200, Xavier wrote: > Le 05/04/2020 à 20:46, Bastian Blank a écrit : > I can help if you want to use lemondap-ng (LLNG: > https://lemonldap-ng.org https://tracker.debian.org/pkg/lemonldap-ng) Cool. > This requires to change all services. Using a SSO is easier here: > gatekeeper (KeyCloack) or handler (LLNG) permits to protect a web app > without having to change to many things. LLNG handlers are directly > included in Apache/Nginx configuration and provides HTTP-headers to the > web app. Or Apache modules like mod-auth-openidc (OIDC) or mod-auth-mellon (SAML). > Other way, LLNG is able to be a proxy between OAuth (OpenID-Connect) and > any other SSO-language (CAS, SAML, OpenID-2) or handlers. The portal > then becomes transparent Keycloak, as a broker, is similar. Service provider can be using one protocol and the identity provider another. > It's easy to integrate GitLab in SSO using SAML (or OIDC). It is perhaps > more safe to manage users elsewhere (custom app) and make GitLab a slave > of SSO system. LLNG provides a plugin engine for that. Gitlab can use OIDC for OmniAuth, so it can authenticate against any OIDC-compliant IdP, LLNG and Keycloak included. > NB: KeyCloak is free but this needs to stay in last version, else you > need a RedHat-SSO support. LLNG is totally free, written in Perl and JS; > and Debian has a lot of Perl-Gurus ;-). Redhat has the distinction (thankfully) of not following a 'freemium' model (at least for Directory389 and Keycloak). The features available in RedHat SSO and Keycloak are identical. Redhat SSO lags behind Keycloak but may include fixes not yet ported to Keycloak. Keycloak is also totally free and, yes, is written in Java. > I can give some accounts to demo platform: https://auth.openid.club/ > [dev platform, so sometime broken...] or install an instance in a Debian > machine if you want to try it. Please work with Michael Lustfield (IRC MTecknology) as he is also interested in setting upa Debian-specific instance of LLNG. > Resume of proposition: > * all users managed by SSO; Agree! > * self-registration authorized with "-guest" > in a distinct LDAP branch More thought required but don't disagree. > * GitLab becomes a slave of SSO using SAML (or OIDC) Agree! > * other applications are protected by handlers/GateKeepers. If LLNG is > chosen, just to add few lines in Nginx configuration Agree and/or mod-auth-openidc/mod-auth-lemon, etc. > * new applications can be protected using handlers, SAML, CAS, OIDC,... Agree but with order of preference being OIDC, SAML and... way over there, almost too distant to see... CAS. > <as usual, sorry for my poor English> Very helpful response! -- Luca Filipozzi
