As announced in the last report, i started looking into SSO solutions and evaluated and tested them. At the begining my focus was on SAML integration, but i soon realized that OAuth2 would be more important.
I started with installing Lemonldap-NG. LL-NG is a WebSSO solution writting in perl that uses ModPerl or FastCGI for delivering Webcontent. There is a Debian package in stable, so the installation was no problem at all. The configuration was a bit harder, as LL-NG has a complex architecture with different vhosts. But after some fiddling i managed to connect the installation to our test LDAP instance and was able to authenticate against the LL-NG portal. Then i started to research how to integrate an OAuth2 client. For the tests i had on the one hand a gitlab installation that i tried to connect to the OAuth2 providers using the omniauth-oauth2-generic strategy. To have a bit more fine grained control over the OAuth2 client configuration i also used the python requests-oauthlib module and modified the web app example from their documentation to my needs. After some fiddling and a bit of back and forth on the lemonldap-ng mailinglist i managed both test clients to authenticate against LL-NG.
The second solution i tested was Keycloak, an
identity and access management solution written in java by Redhat. There is no
debian package, but nonetheless it was very easy to get it running. It is
enough to install
jre-default from the package repositories and then run the
standalone script from the extracted keycloak folder. Because keycloak only
listens on localhost and i didn’t want to get into configuring the java
webserver stuff, i installed nginx and configured is as a proxy. In Keycloak
too the first step was to configure the LDAP backend. When i was able to
successfully login using my LDAP credentials, i looked into configuring an
OAuth2 client, which wasn’t that hard either.
The third solution i looked into was
Glewlwyd, written by babelouest.
There is a Debian package in buster, so i added the buster sources, set up apt
pinning and installed the needed packages. Glewlwyd is a system service that
listens on localhost:4593, so i also used nginx in this case. The configuration
for the LDAP backend is done in the configuration file which is on Debian
/etc/glewlwyd/glewlwyd-debian.conf. Glewlwyd provides a webinterface for
managing users and clients and it is possible to store all the values in LDAP.
The next steps will be to test the last candidate, which is
ipsilon and also
test all the solutions for some important features, like multiple backends and
exporting of configurable attributes. Last but not least i want to create a
table to have an overview of all the features and drawbacks of the solutions.
All the evaluations are public in a salsa
I also carried on doing some work on
nacho, though most of the issues that
have to be fixed are rather small. I reguarly stumble upon texts about Python
or Django, like for example the Django
NewbieMistakes and try to
read all of them and use that for improving on my work.