Identity federation / management

#1

All,
what are opinions on openID etc?
I feel that since we’re going to end up with at least a couple of web based things etc, it’s good to think about this early, so we don’t have to continually get people to sign up to stuff etc.

DW

0 Likes

#2

I agree. I’ve been thinking about using http://www.identityserver.io. It can act as an OpenId provider as well as do a bunch of useful oauth2 stuff.

It needs to be backed by a user database. I’m thinking discourse could be that database (at least for now).

0 Likes

#3

is this an application or just some kind of library framework? I’m confused…

0 Likes

#4

Yeah, their website is confusing AF. Their github page is better:

It’s a server application that implements the OpenID Connect spec. So, it can act as an openID server.

It also helps you manage API access tokens.

When I eventually get around to implementing a member services API this will help make sure only members can use it.

0 Likes

#5

ok… also, does it only run on IIS?

0 Likes

#6

I think it’s an asp.net core app, so it should run anywhere.

It will self-host, but we should probably put it behind a proper Web server eventually.

0 Likes

#7

Are you at thinking of setting up that ldap server?

0 Likes

#8

yes, definitely if we think it’s useful. The downside: the thing I learned is it basically requires centOS. I spent absolutely ages attempting to wrangle it to install on other things, and it’s nearly impossible.

0 Likes

#9

I wonder if we could get it to run in one or more centos containers. If it only requires a handful of processes it might be doable. Otherwise, we can always spin up a vm.

What was the name of the project again? Did it have a website?

0 Likes

#10

freeipa
https://www.freeipa.org/page/Main_Page

it’s basically just a well put together set of other projects: LDAP server (389DS), kerberos server, certificate management (dogtags) + nice configuration GUI, and nice configuration clients for the client machines. But together it’s basically active directory for linux. And configuring all those properly separately would be a very annoying job. It also can integrate with AD. Anyway, I found on fedora or centos it’s pretty easy to install and get running.

0 Likes

#11

p.s. there is actually a docker container for it, but I wasn’t able to get it to work, though I didn’t try that hard.

https://www.freeipa.org/page/Docker

they say it’s “not supported” and is “just for demo / test” purposes. I think the problem stems from the need to mess around with DNS for the whole network.

0 Likes

#12

yeah I checked it out, and its github page as well. It doesn’t exactly seem ready for prime time. I’m not surprised, though, as a docker container is only supposed to run a single process. And processes that expect the presence of systemd or upstart tend to struggle.

0 Likes