From e7c1b058966d398c36a2dc348b2d5503eb79d955 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Tue, 6 Jun 2023 16:08:42 -0400
Subject: [PATCH] make a table of all the SSO programs

---
 howto/ldap.md | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/howto/ldap.md b/howto/ldap.md
index f1b6f3a3..cb668df1 100644
--- a/howto/ldap.md
+++ b/howto/ldap.md
@@ -2258,15 +2258,27 @@ using the [django-auth-ldap][] authentication plugin.
 
 ### Single-sign on
 
- * [Keycloak][]: single-sign-on interface which talks with LDAP
- * [FreeIPA][]: similar, except built on top of 389 DS, the Fedora
-   LDAP thing
- * [Authelia][]: single sign-on, 2fa, OIDC connect
- * [Authentik][]: single sign-on, 2fa, OIDC, SAML, LDAP, proxy,
-   metrics
- * [LemonLDAP-ng](https://lemonldap-ng.org/), [packaged in Debian](https://tracker.debian.org/pkg/lemonldap-ng)
- * [kanidm][]: SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline
-   support, web UI, CLI tools
+"Single-sign on" (SSO) is "an authentication scheme that allows a user
+to log in with a single ID to any of several related, yet independent,
+software systems." -- [Wikipedia](https://en.wikipedia.org/wiki/Single_sign-on)
+
+In our case, it's something that could allow all our applications that
+use a single source of truth for usernames and passwords. We could
+also have a single place to manage the 2FA configurations, so that
+users wouldn't have to enroll their 2FA setup in each application
+individually.
+
+Here's a list of the possible applications that could do this that
+we're aware of:
+
+| Application      | Features                                                                   | Notes                                       |
+|------------------|----------------------------------------------------------------------------|---------------------------------------------|
+| [Keycloak][]     | SSO, LDAP                                                                  |                                             |
+| [FreeIPA][]      | SSO, LDAP                                                                  | built on top of 389 DS (Fedora LDAP server) |
+| [Authelia][]     | SSO, 2FA, OIDC                                                             |                                             |
+| [Authentik][]    | SSO, 2FA, OIDC, SAML, LDAP, proxy, metrics                                 |                                             |
+| [LemonLDAP-ng][] |                                                                            | [packaged in Debian][]                      |
+| [kanidm][]       | SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline support, web/CLI UI, Rust |                                             |
 
 See also [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) for an Apache module supporting OIDC.
 
@@ -2278,6 +2290,8 @@ swap ud-ldap out if we need to, replacing bits of it as we go.
 [Authelia]: https://www.authelia.com/
 [Authentik]: https://goauthentik.io/
 [kanidm]: https://github.com/kanidm/kanidm
+[LemonLDAP-ng]: https://lemonldap-ng.org/
+[packaged in Debian]: https://tracker.debian.org/pkg/lemonldap-ng
 
 #### Keycloak
 
-- 
GitLab