On 06/23/2016 10:00 AM, Bruno Oliveira wrote:
Good morning,
One of the use case scenarios described for FreeIPA, is the integration via PAM
and SSSD, which "automagically" handles the authentication against the IdM.
This first step requires pretty much an IPA setup, but
works with libpam4j[1]. Now, thinking about Keycloak, I
would like to have an Authenticator for PAM[2], which is pretty much our
UsernamePasswordForm + PAM. Does it make sense?
Current flow:
* User logs into Web application with username/password
* PAM authenticator collects data and authenticate against PAM
* SSSD authenticates against IdM
* Authentication is complete
After the last step, should we propagate that user to our database?
Maybe, like Marek already mentioned, have a SSSDFederationProvider?
[1] -
http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9...
[2] -
https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s...
Simo brought up a concern after forwarding this to our internal identity
team list. His comment is:
Current flow:
* User logs into Web application with username/password
* PAM authenticator collects data and authenticate against PAM
I am worried about how these 2 steps are expressed, it seem to imply PAM
is used only as a username/password verifier.
There is no mention/awarness of PAM conversations where we can prompt
for things like second factors or password changes.
--
John