Francesco, Thanks for your reply! You’ve given me what I need to go forward. W.r.t. gluu, SCIM may be the way forward (in a couple of releases.) I’ll look into CAS.
Is it possible to have the users manage their own collections of accounts, or is that an admin / helpdesk type of task? Thanks again, Bryce From: Francesco Chicchiriccò [mailto:ilgro...@apache.org] Sent: Monday, April 25, 2016 1:09 AM To: user@syncope.apache.org Subject: Re: Orientation Hi Bryce, glad of your interest in Apache Syncope. See my replies embedded below. Regards. On 2016-04-23 21:56 Nordgren, Bryce L -FS wrote: Hi, I’m trying to set up a hybrid desktop/web identity solution outside the corporate firewall. I’m essentially an enduser and this is well outside my normal wheelhouse. I gather (from http://syncope.apache.org/iam-scenario.html) that Syncope can be used to coordinate multiple identity technologies. That's correct. Roughly, here is what I was thinking so far. Please correct my ignorance. • Identities (people) and possibly some groups are centralized nationally, machines/services are defined locally 1. Authorization is local to the machine/service/application (not Syncope’s problem) 2. Desktop authentication is via Active Directory (Win) or FreeIPA (Linux/Mac); Kerberos-based 3. Web authentication via Gluu • Likely authentication methods: o PIV smartcard (web or desktop; employees only) o Username/password (web or desktop; employees and partners) o “Social” accounts (google, facebook, ORCID): (web only; employees and partners) As I understand it, Syncope would act as a central registry of users, and I would need it to perform a two-way sync to both AD and Gluu. So the first question would be: Is my understanding correct so far, and is Syncope a good fit? Definitely so: I am not very familiar with Gluu, but we've been implementing similar requirements with CAS. Essentially, you need to configure several external resources in Apache Syncope: one for Active Directory (ConnId connector stable, feature-rich), one for Gluu (guess that the well-known ConnId LDAP connector can fit the job) and one for FreeIPA (ConnId connector available but not very widely adopted yet, may need additional testing). The only point I urge to highlight is that you cannot extract password values out of Active Directory, so you'll have to consider that self-service operations need to be performed either via Syncope Enduser or any 3rd party app relying on Syncope RESTful interface. My second question is: allowing login from social accounts leads to “one person, many accounts”. Does syncope have a way to recognize that my AD account and my google account belong to the same person (me)? How? Again, not sure how this can work with Gluu, but with CAS we have been mapping the various OAuth2 identities (Google, Facebook, LinkedIn, GitHub, ...) as bare LDAP attributes. The best way to represent this multiple mapping in Syncope can vary depending on several factors, but it is definitely possible: after all, one IdM's job is consolidating several accounts into a single, virtual identity, isn't it? ;-) -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer, OpenJPA Committer http://home.apache.org/~ilgrosso/ This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
