Le 07/04/2020 à 18:50, Sam Hartman a écrit : >>>>>> "Xavier" == Xavier <y...@debian.org> writes: > > Xavier> Le 07/04/2020 à 17:20, Paul Wise a écrit : > >> On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote: > >> > >>> ## Highlevel plan > >> > >> I'd like to learn a bit about what the effects for Debian account > >> holders and service admins will be. > >> > >>> - Salsa becomes primary source of user info and authentication > >>> for secondary services via OpenID Connect (OAuth2), for both DDs > >>> and non-DDs, replacing sso.debian.org. > >> > >> It sounds like the answer is no, but does Salsa, Keycloak or > >> LemonLDAP::NG support TLS client certs? > > Xavier> LLNG and KeyCloack support TLS authentication, 2FA,... See > Xavier> > https://lemonldap-ng.org/documentation/latest/start#authentication_users_and_password_databases > Xavier> for a complete list of LLNG supported authentication > Xavier> mechanisms > > I authenticate using TLS to the SSO server. > But then I use http redirects or JSON tokens to authenticate to the > protected app, right?
Hi, Yes or secured-cookie. OIDC or SAML share authentication level with applications. With LLNG ≥ 2.0, you can restrict OIDC/SAML using a rule (which can read auth level). Handlers applies the rule given by LLNG so they can require a strong level or not > llng does not end up being a short-lived CA like the current > sso.debian.org SSL handshake is done by portal web server, so you have the same features than with any webserver
