Hi,

I was indeed thinking on using OAuth for the application (SAS Viya).

Standard platform: ADFS. Adding Keycloak is do-able, but currently not in scope.

We are a small (sub)team and how much is manage-able? ;)

The applicaton - SAS Viya - always needs LDAP as identity store - in combination with Kerberos (& IWA), OAuth, SAML, plain LDAP or PAM.

I find the implementation of their LDAP client a bit lacking (only 1 LDAP host, no referral setting, no starttls....)

One of the business requirements is "seamless" authentication and I was hoping we could use SPNEGO.

Our Hadoop (and related servers such as SAS Viya) are all placed in a separate IPA domain, and we have a trust with AD.

So this works for a firefox browser configured to use MIT Kerberos against IPA and the pure IPA users.

But me idealistic scenario of using end-users from AD on that SAS Viya platform is currently leading to nowhere.

Do you think it would be possible using ADFS Oauth? And AD LDAP as identity lookup store (if the problems are fixed) with all servers in the IPA domain?

If not, what about Keycloak integrated with IPA -->we still would have the problem with AD user lookup then.

Would be easier if the product uses SSSD/PAM as identity store as well somehow...

Sincerely Pieter

On Mon, Jul 2, 2018 at 2:15 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:

On ma, 02 heinä 2018, Pieter Baele via FreeIPA-users wrote:
> Hi,
>
>We have an application (Spring LDAP backend) that uses ketyabs in the IPA
>domain for SSO auth.
>No problems at all for internal FreeIPA users after they have a valid
>ticket (using MIT Kerberos for Windows) and a correctly configured browser.
>
>An AD user is never present in IPA itself as an inetOrgPerson objectclass
>(correct?).
>So because AD users are only present in the compat tree after adding them
>the "Default Trust View" , configuration of the application is a problem.
>Because of the schema, I can only use posixAccount and membership is using
>memberUid / RFC2307 (correct again?)
Correct.

>The absence of inetOrgPerson information (and memberOf) in the compat view,
>gives me difficulties connecting this component to FreeIPA....
memberOf is part of RFC2307bis, so out of scope for compat tree.

>Anyone experience with connecting Spring to IPA - AND - being able to use
>AD users?
If you are able to switch to a different authentication provider, I'd
rather take a different approach: use OpenID Connect/OAuth instead.
You'd connect your Spring application to an IdP like Keycloak and then
connect Keycloak to IPA. This would work for any complex setup because
authentication and identity retrieval at Keycloak side would be handled
by SSSD.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland