Hello, everyone. I am planning to set up Single Sign-On (SSO). I wonder if I can use something like Red Hat SSO with two separate domains. I have one domain for Windows AD and one for Linux IDM. My idea is to use Red Hat SSO so that both domains will be able to access the same services. For example, I have one Nextcloud instance, and I would like users from both domains to use it with SSO.

  • @[email protected]
    link
    fedilink
    English
    1911 months ago

    Highly recommend Authentik for SSO.

    I run it on it’s own sub domain and all my other apps on their own sub domains.

    It has pretty much every login protocol you could want (oauth, saml, ldap) etc.

    Currently using it for jellyfin, immich, linkwarden, freshrss, and seafile.

    • Konraddo
      link
      English
      311 months ago

      Sorry for a noobie question. But when people say using SSO for internal apps, does it mean we only need to log in once and then the various apps won’t need us logging in again? And then the browser can stay connected for however long we want it to be?

      • @[email protected]
        link
        fedilink
        English
        311 months ago

        This is typically the case. Increasingly, self-hosted apps use integrated OIDC or OAuth but for those that don’t there are various other methods of integration into the SSO provider you’re using including forward auth and remote username. Authentik is nice in that it is also a forward-auth proxy and so you don’t need to use an additional oauth proxy software like oauth2-proxy.

    • @[email protected]
      link
      fedilink
      English
      311 months ago

      This is the way. I just hope they don’t start gatekeeping essential features behind the “enterprise” license. Already they have announced push-based 2fa (like Duo) will be enterprise which is a bit of a bummer but it’s honestly awesome software otherwise and beggars can’t be choosers!

    • @[email protected]
      link
      fedilink
      English
      211 months ago

      Does it work for multiple domains (not Subdomains)? I’m currently using authelia, which can’t do that, which sucks.

      • @[email protected]
        link
        fedilink
        English
        111 months ago

        I can’t imagine why it wouldn’t. The configuration just needs a URL, what domain they are actually on should be irrelevant.

        • @[email protected]
          link
          fedilink
          English
          111 months ago

          For authelia, iirc it’s a problem with the way cookies work, but also with how they set their system up structurally. I don’t know the details anymore.

    • @Haha
      link
      English
      111 months ago

      It it useful to use authentik with vaultwarden? Or is it redundant?

      • @[email protected]
        link
        fedilink
        English
        111 months ago

        They don’t really do the same thing. I use both. Authentik provides 1 password/account for all my self hosted apps. Along with other people that use my services. I create one account on authentik and suddenly they can access everything.

        I then save that password in vaultwarden.

        For what it’s worth I don’t use SSO for my vault warden master password, that is a separate password not saved anywhere

        • @Haha
          link
          English
          111 months ago

          Does it mean each time you host a new app you have to tie it to authentik? I will read aboot it later

          • @[email protected]
            link
            fedilink
            English
            211 months ago

            Yes, when you look into a new self hosted app, you have to check if they offer some kind of SSO option. Authentik can pretty much do every protocol there is. Each all will have different instructions on how to set it up.

        • @Haha
          link
          English
          111 months ago

          I see thank you :)

  • @[email protected]
    link
    fedilink
    English
    711 months ago

    Authelia is popular, as is Keycloak. I believe Red Hat develops Keycloak or at least has a hand in it.

    I’m on this journey as well, figuring out what I’m going to use. Currently most of my services just use LDAP back to AD but I’m looking to do something more modern like SAML, oAuth or OpenID Connect so that I can simplify the number of MFA tokens I have.

    Just as an anecdote you may find useful - Personally I used to run an Active Directory for Windows and FreeIPA for my Linux machines and have managed to simplify this to just AD. Linux machines can be joined, you can still use sudo and all the other good stuff while only having one source of truth for identity.

    • @kylian0087OP
      link
      English
      211 months ago

      you can still use sudo and all the other good stuff while only having one source of truth for identity.

      I am aware that linux devices can join the AD domain. The reasons i setup up FreeIPA/IDM is the linux specific rules I can make. Like the Sudo rules for example. As far as i am aware you can not do this with a windows domain controller.

      • @[email protected]
        link
        fedilink
        English
        111 months ago

        Depends on your use case, but you can use some Group Policy Objects on Linux (at least with sssd). See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo

        You can also grant sudo to AD group members in the sudoers file, which is how I’ve done it in a corporate setting.

        I believe there are 3rd party ADMX templates you can add to your domain controllers to get more granular as well as additions to the AD schema, but I haven’t gone that deep with it since between sssd and the sudoers file I can achieve what I need to.

        • @kylian0087OP
          link
          English
          111 months ago

          Arnt GPOs on Linux very limited? Anyway to get some form of “policys” working I was thinking of using Ansible and playbooks to manage that portion anyway. (Next project).

    • @TCB13
      link
      English
      211 months ago

      Keycloak = XML pain.

      • @LufyCZ
        link
        English
        211 months ago

        Haven’t come across any xml during my deployment so far

    • @bless
      link
      English
      111 months ago

      Looking for a good guide on getting this setup via docker and AD LDAP, any pointers?

    • @TCB13
      link
      English
      111 months ago

      bad bot.