[Freeipa-users] Re: External IdP/OAuth - additional feature ideas

Tue, 14 May 2024 01:45:07 -0700 

On Аўт, 14 мая 2024, Manuel Linsmayer via FreeIPA-users wrote:

Hello,

I've connected FreeIPA to Dex and Keycloak, which works fine. However,
there are two features I'm missing, which would make life a lot easier:

- Automatic creation of user account upon first "login" -- at the
moment, the FreeIPA user has to be created upfront, and the "IdP
reference" has to be set. If the "preferred username" from the IdP can
be the same as the username in FreeIPA, then the FreeIPA account could
be provisioned automatically.

- Evaluation of group memberships from Userinfo endpoint -- upon every
login, group memberships should be adapted. This way, group memberships
could be managed in the IdP system.


These questions need to be asked from those IdPs. Depending on how they
implement their retrieval of user data from IPA, they probably will need
to improve. I suspect you are using something that talks directly to
LDAP and thus has a need to create accounts via LDAP with enough
privileges to do so. Same for group membership -- somebody has to
re-evaluate those group details after a change and that change at LDAP
side might be not noticed by the IdP.


Or are there any other features available to "ease" and "streamline"
the integration between IdP and FreeIPA?


We are working on a companion project that attempts to create a new
backend to Keycloak. It uses SSSD as a backend itself but is able to set
things up in such way that autocreation of users happens automatically
through IPA API.

See https://github.com/freeipa/ipa-tuura/ and FOSDEM 2024's talk for
more details. 
FOSDEM talk: 
https://fosdem.org/2024/schedule/event/fosdem-2024-2618-ipa-tuura-freeipa-connector-for-keycloak/



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to