[Freeipa-users] External collaboration edits

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Mon Jun 16 19:41:08 UTC 2014 

[...talking about views...]

> It's not only about AD, but use-case and examples in the design page
> currently all refer to AD. The key is to find a unique reference to the
> upstream object which in the AD case is obviously the SID. In a previous
> version of the page there were a bit more details who the original/upstream
> objects can be referenced, e.g. it can a fully qualified name or Kerberos
> principal.

Can views handle the case when there is no upstream object? Or when the upstream attribute store is not published as a searchable database (which is almost "no upstream object")? I'd very much like to see these as explicit use cases for views.

Case one would represent vanilla Kerberos trusts, or the quite likely scenario where an external collaboration domain is separated from corporate AD by a firewall. (e.g., institutional AD can provide authentication via trust for users on the corporate network, but not attributes).

Case two would represent authentication sources such as SAML. Views would need to be the mechanism by which the gateway caches attributes in FreeIPA (after inspecting SAML assertions).

Finally, one functional requirement for views may be that the view needs to support a many-to-one "authentication method" to "identity attributes" mapping. For instance, an employee sitting at their desk may log into their server in the collaboration network via SSO (hence, their AD account). Soon this same user may also walk over to the console on the collaboration network and need to use some other Ipsilon-gateway-enabled credentials. These two credentials may need to be mapped to a single user identity. This may not be functionality which needs to be implemented first, but it does perhaps suggest that krbPrincipal may not always be single valued. This may be something which deserves an honorable mention on the RFE page as it impacts the assumptions coders can make.

Thanks,
Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

More information about the Freeipa-users mailing list