[Freeipa-users] External Collaboration Domains

[Nordgren, Bryce L -FS]

Hey guys,

Back again. Thanks for your responses so far.

OTP is interesting, but requires that an account be created in the local domain, which is kind of opposed to the notion of federated identities.

Ipsilon is also interesting, from its description as a gateway to non-Kerberos identitiy providers. I have not located much information about it, though.

I've taken a couple of days to put together an RFE with three use cases and tons of pictures. It locally maintains user attributes in LDAP without creating a corresponding authentication principal in Kerberos. It offers a little more flexibility for integrating AD users to an IPA managed POSIX realm without conflicting with the existing method. It also makes possible the management of inter-organizational cross realm operation using PKINIT. Finally, it describes an interface between the IPA server and Ipsilon (or any identity gateway), and a mechanism by which Ipsilon may acquire TGTs for the local realm on behalf of clients who authenticate via remote, non-Kerberos identity providers. This last workflow is generic and supports methods other than a web-browser.

Please take a look and help me improve it. Also pls educate me out of any mistakes you detect. Part of the reason for doing this is for me to make sure I learned Kerberos concepts correctly.

 http://www.freeipa.org/page/External_Users_in_IPA

Thanks,
Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.