On 2016-04-25 16:00 Nordgren, Bryce L -FS wrote: > Francesco, > > Thanks for your reply! You've given me what I need to go forward.
Happy to help! > W.r.t. gluu, SCIM may be the way forward (in a couple of releases.) I'll look > into CAS. I believe Gluu might also be good for the job; only, I don't have any experience (yet?) with it. FYI Syncope should also feature a SCIM interface eventually. > Is it possible to have the users manage their own collections of accounts, or > is that an admin / helpdesk type of task? The Syncope Enduser can be easily customized for the job. Regards. > FROM: Francesco Chicchiriccò [mailto:ilgro...@apache.org] > SENT: Monday, April 25, 2016 1:09 AM > TO: user@syncope.apache.org > SUBJECT: Re: Orientation > > Hi Bryce, > > glad of your interest in Apache Syncope. > > See my replies embedded below. > > Regards. > > On 2016-04-23 21:56 Nordgren, Bryce L -FS wrote: > >> Hi, >> >> I'm trying to set up a hybrid desktop/web identity solution outside the >> corporate firewall. I'm essentially an enduser and this is well outside my >> normal wheelhouse. I gather (from >> http://syncope.apache.org/iam-scenario.html) that Syncope can be used to >> coordinate multiple identity technologies. > > That's correct. > >> Roughly, here is what I was thinking so far. Please correct my ignorance. >> >> · Identities (people) and possibly some groups are centralized >> nationally, machines/services are defined locally >> >> * Authorization is local to the machine/service/application (not Syncope's >> problem) >> * Desktop authentication is via Active Directory (Win) or FreeIPA >> (Linux/Mac); Kerberos-based >> * Web authentication via Gluu >> >> · Likely authentication methods: >> >> o PIV smartcard (web or desktop; employees only) >> >> o Username/password (web or desktop; employees and partners) >> >> o "Social" accounts (google, facebook, ORCID): (web only; employees and >> partners) >> >> As I understand it, Syncope would act as a central registry of users, and I >> would need it to perform a two-way sync to both AD and Gluu. So the first >> question would be: Is my understanding correct so far, and is Syncope a good >> fit? > > Definitely so: I am not very familiar with Gluu, but we've been implementing > similar requirements with CAS. > > Essentially, you need to configure several external resources in Apache > Syncope: one for Active Directory (ConnId connector stable, feature-rich), > one for Gluu (guess that the well-known ConnId LDAP connector can fit the > job) and one for FreeIPA (ConnId connector available but not very widely > adopted yet, may need additional testing). > > The only point I urge to highlight is that you cannot extract password values > out of Active Directory, so you'll have to consider that self-service > operations need to be performed either via Syncope Enduser or any 3rd party > app relying on Syncope RESTful interface. > >> My second question is: allowing login from social accounts leads to "one >> person, many accounts". Does syncope have a way to recognize that my AD >> account and my google account belong to the same person (me)? How? > > Again, not sure how this can work with Gluu, but with CAS we have been > mapping the various OAuth2 identities (Google, Facebook, LinkedIn, GitHub, > ...) as bare LDAP attributes. > > The best way to represent this multiple mapping in Syncope can vary depending > on several factors, but it is definitely possible: after all, one IdM's job > is consolidating several accounts into a single, virtual identity, isn't it? > ;-) -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer, OpenJPA Committer http://home.apache.org/~ilgrosso/
