On 09/11/2021 06:40, Alexander Bokovoy wrote:
On ti, 09 marras 2021, Fraser Tweedale wrote:
> On Mon, Nov 08, 2021 at 09:45:39PM +0000, lejeczek via
> FreeIPA-users wrote:
>> Hi guys.
>>
>> I've only stumbled upon whole Keycloak thing thus go
>> easy on me please. I
>> wonder if Keycload can be a "provider" to freeIPA in
>> some way?
>> One such a scenario where I think Keycloak might be a
>> golden egg - if it
>> worked that is - is as a "middle-man" for user base
>> between(or from to) AD
>> and freeIPA when full & legit trust is not possible.
>> Does that make sense?
>>
>> many thanks, L.
>>
> Hi L,
>
> It does make sense, and IIRC it is being worked on. That
> is,
> authenticating to FreeIPA realm as "external identities"
> by way of
> SAML or OpenID Connect assertions.
>
> Adding Alexander, who may be able to comment further.
There is an ongoing work to enable this feature. It is not
ready yet for
any testing as we had been distracted with more important
work[1]
recently. Hopefully, we'll get back to external IdP
support[2] relatively
soon.
[1]
https://lists.samba.org/archive/samba-technical/2021-November/136978.html
[2]
https://github.com/abbra/freeipa/blob/external-idp/doc/designs/external-i...
Even it's only me think euphoric of this idea, I can still
say - that should be a killer feature when implemented.
many! thanks. L