Le 08/04/2020 à 17:28, Luca Filipozzi a écrit : > reminder: I'm replying linearly and from what I know (keycloak, SAML and > OIDC). > > > On Tue, Apr 07, 2020 at 12:20:40PM +0200, Xavier wrote: >> Le 05/04/2020 à 20:46, Bastian Blank a écrit : >> I can help if you want to use lemondap-ng (LLNG: >> https://lemonldap-ng.org https://tracker.debian.org/pkg/lemonldap-ng) > > Cool. > >> This requires to change all services. Using a SSO is easier here: >> gatekeeper (KeyCloack) or handler (LLNG) permits to protect a web app >> without having to change to many things. LLNG handlers are directly >> included in Apache/Nginx configuration and provides HTTP-headers to the >> web app. > > Or Apache modules like mod-auth-openidc (OIDC) or mod-auth-mellon > (SAML).
Hi, LLNG handlers are apache modules. The difference is that they don't only manage authentication but also authorizations >> Other way, LLNG is able to be a proxy between OAuth (OpenID-Connect) and >> any other SSO-language (CAS, SAML, OpenID-2) or handlers. The portal >> then becomes transparent > > Keycloak, as a broker, is similar. Service provider can be using one > protocol and the identity provider another. > >> It's easy to integrate GitLab in SSO using SAML (or OIDC). It is perhaps >> more safe to manage users elsewhere (custom app) and make GitLab a slave >> of SSO system. LLNG provides a plugin engine for that. > > Gitlab can use OIDC for OmniAuth, so it can authenticate against any > OIDC-compliant IdP, LLNG and Keycloak included. > >> NB: KeyCloak is free but this needs to stay in last version, else you >> need a RedHat-SSO support. LLNG is totally free, written in Perl and JS; >> and Debian has a lot of Perl-Gurus ;-). > > Redhat has the distinction (thankfully) of not following a 'freemium' > model (at least for Directory389 and Keycloak). The features available > in RedHat SSO and Keycloak are identical. Redhat SSO lags behind > Keycloak but may include fixes not yet ported to Keycloak. Keycloak is > also totally free and, yes, is written in Java. > >> I can give some accounts to demo platform: https://auth.openid.club/ >> [dev platform, so sometime broken...] or install an instance in a Debian >> machine if you want to try it. > > > Please work with Michael Lustfield (IRC MTecknology) as he is also > interested in setting upa Debian-specific instance of LLNG. With pleasure ! >> Resume of proposition: >> * all users managed by SSO; > > Agree! > >> * self-registration authorized with "-guest" >> in a distinct LDAP branch > > More thought required but don't disagree. > >> * GitLab becomes a slave of SSO using SAML (or OIDC) > > Agree! > >> * other applications are protected by handlers/GateKeepers. If LLNG is >> chosen, just to add few lines in Nginx configuration > > Agree and/or mod-auth-openidc/mod-auth-lemon, etc. > >> * new applications can be protected using handlers, SAML, CAS, OIDC,... > > Agree but with order of preference being OIDC, SAML and... way over > there, almost too distant to see... CAS. Of course, old protocol. Choosing between handlers and federation protocols depends on how we want to manage authorizations: * centralized authorization: handlers (authorization managed by manager application, websites are filtered globally or using regxp on URLs * managed in application: both way This is the choice to do (both ways are possible simultaneously) >> <as usual, sorry for my poor English> > > Very helpful response! Thanks ;-) --- /me has worked for 15 years on Identity and Access Management (IAM) topics
