[Freeipa-users] FreeIPA and abfab?
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Tue Jan 14 02:50:24 UTC 2014
In my previous message, I asked about one-way trust with AD to provide a means of "extending" our corporate AD with accounts for external cooperators. I expect this is just a technical matter: either FreeIPA supports it or not, and there's no conceptual obstacles. So, my password is the same, and everyone else needs a new account. Not ideal, but it's achievable fairly easily with existing tools.
But what I really really want is an identity provider for the edge of the enterprise, where I live. My password is the same and external users can also use their normal password. Essentially, I want a software suite which interfaces between the enterprise environment where everything is centrally managed, and a federated environment where there are too many organizations to shake a stick at.
I've been reading about "Application Bridging for Federated Access Beyond Web" (abfab). https://datatracker.ietf.org/wg/abfab/ It appears to me that the draft architecture document and the recently published RFCs (7055, 7056, 7057) defines a mechanism for enterprises to federate and opens up a whole new application space. The big question is, should enterprise-centric management apps expand to include federation, or will a whole new crop of solutions pop up? Or, more pointedly, could this gap be filled by augmenting an enterprise's existing AD deployment with a federation-aware FreeIPA? Has FreeIPA considered moving into this space?
I can see several areas where a federation aware, AD compatible solution could add value to an organization:
Use case 1: Synchronizing enterprise IDs with IDs exposed to the federation. (Currently, we have "AD" credentials and SAML credentials, and they are not synched. And our SAML IdP does not participate in a federation.)
Use case 2: Software can use SAML credentials for workstation logins (if the workstations are on the "research net"); and allow only internal users to use "internal services".
Use case 3: Software provides access to "internal + federated" identities using LDAP, SAML, Kerberos, etc.
Food for thought. I know this isn't near term, but at this point, I'm just curious if people are even thinking along these lines?
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140114/048c2d66/attachment.htm>
More information about the Freeipa-users
mailing list