Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
Hi L,
It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions.
Adding Alexander, who may be able to comment further.
Thanks, Fraser
On ti, 09 marras 2021, Fraser Tweedale wrote:
On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
Hi L,
It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions.
Adding Alexander, who may be able to comment further.
There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon.
[1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/...
On 09/11/2021 06:40, Alexander Bokovoy wrote:
On ti, 09 marras 2021, Fraser Tweedale wrote:
On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
Hi L,
It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions.
Adding Alexander, who may be able to comment further.
There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon.
[1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/...
Even it's only me think euphoric of this idea, I can still say - that should be a killer feature when implemented. many! thanks. L
On 09/11/2021 06:40, Alexander Bokovoy wrote:
On ti, 09 marras 2021, Fraser Tweedale wrote:
On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
Hi L,
It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions.
Adding Alexander, who may be able to comment further.
There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon.
[1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/...
Hi guys. I wonder if you get any closer to perhaps to some test/trial in some foreseeable future? thanks, L.
On ma, 27 kesä 2022, lejeczek via FreeIPA-users wrote:
On 09/11/2021 06:40, Alexander Bokovoy wrote:
On ti, 09 marras 2021, Fraser Tweedale wrote:
On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg
- if it
worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
Hi L,
It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions.
Adding Alexander, who may be able to comment further.
There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon.
[1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/...
Hi guys. I wonder if you get any closer to perhaps to some test/trial in some foreseeable future?
It is part of FreeIPA 4.9.10 release. Please see release notes for additional details.
On 28/06/2022 07:08, Alexander Bokovoy wrote:
On ma, 27 kesä 2022, lejeczek via FreeIPA-users wrote:
On 09/11/2021 06:40, Alexander Bokovoy wrote:
On ti, 09 marras 2021, Fraser Tweedale wrote:
On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
Hi L,
It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions.
Adding Alexander, who may be able to comment further.
There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon.
[1] https://lists.samba.org/archive/samba-technical/2021-November/136978.html [2] https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/...
Hi guys. I wonder if you get any closer to perhaps to some test/trial in some foreseeable future?
It is part of FreeIPA 4.9.10 release. Please see release notes for additional details.
gee - like a baby needs little to feel excitement I'll express mine quickly - fantastycznie! it's a new era!. Guys(not only IPA gang here but all involved).. you are the best. Some schedule/guesstimate when it might land in c8s? many! thanks, L
On Tue, Jun 28, 2022 at 5:48 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 28/06/2022 07:08, Alexander Bokovoy wrote:
On ma, 27 kesä 2022, lejeczek via FreeIPA-users wrote:
On 09/11/2021 06:40, Alexander Bokovoy wrote:
On ti, 09 marras 2021, Fraser Tweedale wrote:
On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via FreeIPA-users wrote:
Hi guys.
I've only stumbled upon whole Keycloak thing thus go easy on me please. I wonder if Keycload can be a "provider" to freeIPA in some way? One such a scenario where I think Keycloak might be a golden egg - if it worked that is - is as a "middle-man" for user base between(or from to) AD and freeIPA when full & legit trust is not possible. Does that make sense?
many thanks, L.
Hi L,
It does make sense, and IIRC it is being worked on. That is, authenticating to FreeIPA realm as "external identities" by way of SAML or OpenID Connect assertions.
Adding Alexander, who may be able to comment further.
There is an ongoing work to enable this feature. It is not ready yet for any testing as we had been distracted with more important work[1] recently. Hopefully, we'll get back to external IdP support[2] relatively soon.
[1]
https://lists.samba.org/archive/samba-technical/2021-November/136978.html
[2]
https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-idp/...
Hi guys. I wonder if you get any closer to perhaps to some test/trial in some foreseeable future?
It is part of FreeIPA 4.9.10 release. Please see release notes for additional details.
gee - like a baby needs little to feel excitement I'll express mine quickly - fantastycznie! it's a new era!. Guys(not only IPA gang here but all involved).. you are the best. Some schedule/guesstimate when it might land in c8s?
We don't package for c8s and have little to no influence there, but I believe it should be available in a few weeks.
Rafael
many! thanks, L _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Fraser Tweedale -
lejeczek -
Rafael Jeffman