On Tue, 14 Jan 2014, Nordgren, Bryce L -FS wrote:
In my previous message, I asked about one-way trust with AD to provide
a means of "extending" our corporate AD with accounts for external
cooperators. I expect this is just a technical matter: either FreeIPA
supports it or not, and there's no conceptual obstacles. So, my
password is the same, and everyone else needs a new account. Not ideal,
but it's achievable fairly easily with existing tools.
But what I really really want is an identity provider for the edge of
the enterprise, where I live. My password is the same and external
users can also use their normal password. Essentially, I want a
software suite which interfaces between the enterprise environment
where everything is centrally managed, and a federated environment
where there are too many organizations to shake a stick at.
I've been reading about "Application Bridging for Federated Access
Beyond Web" (abfab). https://datatracker.ietf.org/wg/abfab/ It appears
to me that the draft architecture document and the recently published
RFCs (7055, 7056, 7057) defines a mechanism for enterprises to federate
and opens up a whole new application space. The big question is,
should enterprise-centric management apps expand to include federation,
or will a whole new crop of solutions pop up? Or, more pointedly, could
this gap be filled by augmenting an enterprise's existing AD deployment
with a federation-aware FreeIPA? Has FreeIPA considered moving into
I can see several areas where a federation aware, AD compatible
solution could add value to an organization:
Use case 1: Synchronizing enterprise IDs with IDs exposed to the
federation. (Currently, we have "AD" credentials and SAML credentials,
and they are not synched. And our SAML IdP does not participate in a
Use case 2: Software can use SAML credentials for workstation logins
(if the workstations are on the "research net"); and allow only
internal users to use "internal services".
Use case 3: Software provides access to "internal + federated"
identities using LDAP, SAML, Kerberos, etc.
Food for thought. I know this isn't near term, but at this point, I'm
just curious if people are even thinking along these lines?
Yes, we do have plans on being able to bridge with SAML IdP. This work
is not yet available for production use but we certainly are looking
into making IPA identities available for consumption through
/ Alexander Bokovoy
Freeipa-users mailing list