Back again. Thanks for your responses so far.
OTP is interesting, but requires that an account be created in the local
domain, which is kind of opposed to the notion of federated identities.
Ipsilon is also interesting, from its description as a gateway to non-Kerberos
identitiy providers. I have not located much information about it, though.
I've taken a couple of days to put together an RFE with three use cases and
tons of pictures. It locally maintains user attributes in LDAP without creating
a corresponding authentication principal in Kerberos. It offers a little more
flexibility for integrating AD users to an IPA managed POSIX realm without
conflicting with the existing method. It also makes possible the management of
inter-organizational cross realm operation using PKINIT. Finally, it describes
an interface between the IPA server and Ipsilon (or any identity gateway), and
a mechanism by which Ipsilon may acquire TGTs for the local realm on behalf of
clients who authenticate via remote, non-Kerberos identity providers. This last
workflow is generic and supports methods other than a web-browser.
Please take a look and help me improve it. Also pls educate me out of any
mistakes you detect. Part of the reason for doing this is for me to make sure I
learned Kerberos concepts correctly.
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
Freeipa-users mailing list