In my previous message, I asked about one-way trust with AD to provide a means 
of "extending" our corporate AD with accounts for external cooperators. I 
expect this is just a technical matter: either FreeIPA supports it or not, and 
there's no conceptual obstacles. So, my password is the same, and everyone else 
needs a new account. Not ideal, but it's achievable fairly easily with existing 

But what I really really want is an identity provider for the edge of the 
enterprise, where I live. My password is the same and external users can also 
use their normal password. Essentially, I want a software suite which 
interfaces between the enterprise environment where everything is centrally 
managed, and a federated environment where there are too many organizations to 
shake a stick at.

I've been reading about "Application Bridging for Federated Access Beyond Web" 
(abfab). It appears to me that the draft 
architecture document and the recently published RFCs (7055, 7056, 7057) 
defines a mechanism for enterprises to federate and opens up  a whole new 
application space. The big question is, should enterprise-centric management 
apps expand to include federation, or will a whole new crop of solutions pop 
up? Or, more pointedly, could this gap be filled by augmenting an enterprise's 
existing AD deployment with a federation-aware FreeIPA? Has FreeIPA considered 
moving into this space?

I can see several areas where a federation aware, AD compatible solution could 
add value to an organization:

Use case 1: Synchronizing enterprise IDs with IDs exposed to the federation. 
(Currently, we have "AD" credentials and SAML credentials, and they are not 
synched. And our SAML IdP does not participate in a federation.)

Use case 2:  Software can use SAML credentials for workstation logins (if the 
workstations are on the "research net"); and allow only internal users to use 
"internal services".

Use case 3: Software provides access to "internal + federated" identities using 
LDAP, SAML, Kerberos, etc.

Food for thought. I know this isn't near term, but at this point, I'm just 
curious if people are even thinking along these lines?


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
Freeipa-users mailing list

Reply via email to