🎓 Doc Freemo :jpf: 🇳🇱

@oliof@octodon.social This sounds reasonable except the gap i see is by using LDAP and not a public key server there is no way for people outside of the company to know whos key to trust that claims to be part of the company.

For example if someone in the company posts some software, or a letter or any conntent and an external user wants to see if they should trust them as a representative of the company and ensure they arent just an employee but authorized to validate releases or make particular decisions, how would they do that?

1+
Scott Williams 🐧

@freemo @oliof SSO is the Identity Provider (IdP) and LDAP is the Data Store layer, managed by an Identity Manager (IDM). LDAP shouldn't be exposed publicly, but SSO and key servers with data sources managed by an IDM are.

1
🎓 Doc Freemo :jpf: 🇳🇱
Follow

@vwbusguy

So what software represents the IDM here?

@oliof@octodon.social

· · 1 · 0 · 0
Scott Williams 🐧

@freemo @oliof FreeIPA is a good one:

freeipa.org

1
🎓 Doc Freemo :jpf: 🇳🇱

@vwbusguy

Can you give me a breakdown in your mind of what software fills all the roles in an open source company... Who is the IDM, the identity provider, what software does the SSO, the LDAP, etc... specifically solutions that would work well with open pgp...

Checking out free ipa now.

@oliof@octodon.social

1
Scott Williams 🐧

@freemo @oliof That really depends on your org. Last place where I was the Identity Architect, the IDM was internally built. The LDAP was a mix of OpenLDAP and Active Directory that was managed by that IDM tool and Grouper, from common sources. The Identity Provider for SSO was handled by both Apereo CAS and TIER's Shibboleth, and LDAP was also the authentication and authorization source for sssd logins, sudo, etc.

1
Scott Williams 🐧

@freemo @oliof Many, many years ago (and multiple employers ago), I gave a talk on this at the So Cal Linux Expo:

socallinuxexpo.org/scale12x/pr

1
🎓 Doc Freemo :jpf: 🇳🇱

@vwbusguy

Thanks, all very helpful. I will be rethinking my original plan which was admitidly much simpler.

@oliof@octodon.social

1
Scott Williams 🐧

@freemo @oliof Much simpler might be better. I was managing identity for an org with hundreds of thousands of entities. If that's not where you're at, you might not need something as elaborate, but the concepts are still helpful to understand so you'll have an idea of how to eventually grow and scale your stack.

1+
🎓 Doc Freemo :jpf: 🇳🇱

@vwbusguy

My company is on the scale of 20 people, so yea, nno where near there. But we have some very high security concerns and are trying to do security on the level of a much larger corp... For example hardware full drive encryption everywhere. We are also a software company so we need to use our PGP identities to assure the public that content is authentic...

All that said i dont plan onn replicating your setup, it is a bit much.. but i may take the idea and borrow from it in a simpler setup.

@oliof@octodon.social

1
Scott Williams 🐧

@freemo @oliof I very much understand those concerns. I currently work in a government sector job.

1
🎓 Doc Freemo :jpf: 🇳🇱

@vwbusguy

I used to do security clearance govt work, so yea I know the drill.

@oliof@octodon.social

0
Scott Williams 🐧

@freemo @oliof One thing I will say is that identity is pretty much always way more complicated to manage than most people imagine it is. A ton of stuff goes into that simple Single Sign On that end users (rightfully) entirely take for granted.

1
🎓 Doc Freemo :jpf: 🇳🇱

@vwbusguy

When i started this I wasnt even thinking of doing single signn on at all.. was going to bastardize keyoxide and be donen with it... nnow i feel a SSO solution might not be a bad idea.

@oliof@octodon.social

0
Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…

v3.5.19-qoto · Privacy policy