Loading howto/ldap.md +23 −9 Original line number Diff line number Diff line Loading @@ -2258,15 +2258,27 @@ using the [django-auth-ldap][] authentication plugin. ### Single-sign on * [Keycloak][]: single-sign-on interface which talks with LDAP * [FreeIPA][]: similar, except built on top of 389 DS, the Fedora LDAP thing * [Authelia][]: single sign-on, 2fa, OIDC connect * [Authentik][]: single sign-on, 2fa, OIDC, SAML, LDAP, proxy, metrics * [LemonLDAP-ng](https://lemonldap-ng.org/), [packaged in Debian](https://tracker.debian.org/pkg/lemonldap-ng) * [kanidm][]: SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline support, web UI, CLI tools "Single-sign on" (SSO) is "an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems." -- [Wikipedia](https://en.wikipedia.org/wiki/Single_sign-on) In our case, it's something that could allow all our applications that use a single source of truth for usernames and passwords. We could also have a single place to manage the 2FA configurations, so that users wouldn't have to enroll their 2FA setup in each application individually. Here's a list of the possible applications that could do this that we're aware of: | Application | Features | Notes | |------------------|----------------------------------------------------------------------------|---------------------------------------------| | [Keycloak][] | SSO, LDAP | | | [FreeIPA][] | SSO, LDAP | built on top of 389 DS (Fedora LDAP server) | | [Authelia][] | SSO, 2FA, OIDC | | | [Authentik][] | SSO, 2FA, OIDC, SAML, LDAP, proxy, metrics | | | [LemonLDAP-ng][] | | [packaged in Debian][] | | [kanidm][] | SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline support, web/CLI UI, Rust | | See also [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) for an Apache module supporting OIDC. Loading @@ -2278,6 +2290,8 @@ swap ud-ldap out if we need to, replacing bits of it as we go. [Authelia]: https://www.authelia.com/ [Authentik]: https://goauthentik.io/ [kanidm]: https://github.com/kanidm/kanidm [LemonLDAP-ng]: https://lemonldap-ng.org/ [packaged in Debian]: https://tracker.debian.org/pkg/lemonldap-ng #### Keycloak Loading Loading
howto/ldap.md +23 −9 Original line number Diff line number Diff line Loading @@ -2258,15 +2258,27 @@ using the [django-auth-ldap][] authentication plugin. ### Single-sign on * [Keycloak][]: single-sign-on interface which talks with LDAP * [FreeIPA][]: similar, except built on top of 389 DS, the Fedora LDAP thing * [Authelia][]: single sign-on, 2fa, OIDC connect * [Authentik][]: single sign-on, 2fa, OIDC, SAML, LDAP, proxy, metrics * [LemonLDAP-ng](https://lemonldap-ng.org/), [packaged in Debian](https://tracker.debian.org/pkg/lemonldap-ng) * [kanidm][]: SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline support, web UI, CLI tools "Single-sign on" (SSO) is "an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems." -- [Wikipedia](https://en.wikipedia.org/wiki/Single_sign-on) In our case, it's something that could allow all our applications that use a single source of truth for usernames and passwords. We could also have a single place to manage the 2FA configurations, so that users wouldn't have to enroll their 2FA setup in each application individually. Here's a list of the possible applications that could do this that we're aware of: | Application | Features | Notes | |------------------|----------------------------------------------------------------------------|---------------------------------------------| | [Keycloak][] | SSO, LDAP | | | [FreeIPA][] | SSO, LDAP | built on top of 389 DS (Fedora LDAP server) | | [Authelia][] | SSO, 2FA, OIDC | | | [Authentik][] | SSO, 2FA, OIDC, SAML, LDAP, proxy, metrics | | | [LemonLDAP-ng][] | | [packaged in Debian][] | | [kanidm][] | SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline support, web/CLI UI, Rust | | See also [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) for an Apache module supporting OIDC. Loading @@ -2278,6 +2290,8 @@ swap ud-ldap out if we need to, replacing bits of it as we go. [Authelia]: https://www.authelia.com/ [Authentik]: https://goauthentik.io/ [kanidm]: https://github.com/kanidm/kanidm [LemonLDAP-ng]: https://lemonldap-ng.org/ [packaged in Debian]: https://tracker.debian.org/pkg/lemonldap-ng #### Keycloak Loading
