Hi Bryce, glad of your interest in Apache Syncope.
See my replies embedded below. Regards. On 2016-04-23 21:56 Nordgren, Bryce L -FS wrote: > Hi, > > I'm trying to set up a hybrid desktop/web identity solution outside the > corporate firewall. I'm essentially an enduser and this is well outside my > normal wheelhouse. I gather (from > http://syncope.apache.org/iam-scenario.html) that Syncope can be used to > coordinate multiple identity technologies. That's correct. > Roughly, here is what I was thinking so far. Please correct my ignorance. > > · Identities (people) and possibly some groups are centralized > nationally, machines/services are defined locally > > * Authorization is local to the machine/service/application (not Syncope's > problem) > * Desktop authentication is via Active Directory (Win) or FreeIPA > (Linux/Mac); Kerberos-based > * Web authentication via Gluu > > · Likely authentication methods: > > o PIV smartcard (web or desktop; employees only) > > o Username/password (web or desktop; employees and partners) > > o "Social" accounts (google, facebook, ORCID): (web only; employees and > partners) > > As I understand it, Syncope would act as a central registry of users, and I > would need it to perform a two-way sync to both AD and Gluu. So the first > question would be: Is my understanding correct so far, and is Syncope a good > fit? Definitely so: I am not very familiar with Gluu, but we've been implementing similar requirements with CAS. Essentially, you need to configure several external resources in Apache Syncope: one for Active Directory (ConnId connector stable, feature-rich), one for Gluu (guess that the well-known ConnId LDAP connector can fit the job) and one for FreeIPA (ConnId connector available but not very widely adopted yet, may need additional testing). The only point I urge to highlight is that you cannot extract password values out of Active Directory, so you'll have to consider that self-service operations need to be performed either via Syncope Enduser or any 3rd party app relying on Syncope RESTful interface. > My second question is: allowing login from social accounts leads to "one > person, many accounts". Does syncope have a way to recognize that my AD > account and my google account belong to the same person (me)? How? Again, not sure how this can work with Gluu, but with CAS we have been mapping the various OAuth2 identities (Google, Facebook, LinkedIn, GitHub, ...) as bare LDAP attributes. The best way to represent this multiple mapping in Syncope can vary depending on several factors, but it is definitely possible: after all, one IdM's job is consolidating several accounts into a single, virtual identity, isn't it? ;-) -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer, OpenJPA Committer http://home.apache.org/~ilgrosso/
