Shibboleth IdP
-
https://www.shibboleth.net/products/identity-provider/
Docs: https://wiki.shibboleth.net/confluence/display/IDP30/Home
Shibboleth is notoriously tough to get deployed, but in the more controlled/predictable environment of Cloudron, it would be hugely simplified. This would allow a great to have a way to make Cloudron a truly authoritative system of record for user authentication across cloud solutions, including SaaS products that can't be self-hosted.
To be fair, this one might be a bit too much of a beast; an alternative like LL::NG (https://lemonldap-ng.org/welcome/) are better-dockerized and close enough on feature parity that it may be preferable.
-
Something like shibboleth would probably work way better as a native functionality (your own cloudron identify provider) than as an app. While I personally would no longer bet on SAML I would welcome to have a official openid connect support in Cloudron. There is already oauth 2.0, so it should not be too hard to make this openid connect compatible if there is enough request for it.
-
Agree with @fbartels that identify providers are probably better suited to be delivered from the platform, so other apps can be well integrated and tested. I don't really know shibboleth but openID seems to be supported by various apps as well, but I don't know the internals of that when it comes to how the apps have implemented support for it. If it is similar to OAuth where parts like user listing or profile email update within the app practically does not exist, then LDAP is likely still preferred.
-
Yeah, I can get behind that school of thought. Good points made, and given full ability to pick and choose, I'd lean away from SAML, but it is one of the more widely supported options for SSO.
Specifically here, I was thinking about SSO for external services, like a SaaS product, especially one without an on-prem variant that could run on Cloudron, so that you can make the Cloudron user store an authoritative source of truth for necessarily off-Cloudron products.
-
Thinking about it, if there were going to be a bigger, badder SSO solution "baked in" to the platform, keycloak (https://www.keycloak.org) may be the better tool to close some of that gap than Shibboleth for the job (OpenID Connect, OAuth 2.0, and SAML support built-in; similar flexibility on the backend). My main thought in the use case of SSO apps is that SSO as a platform component is, to date, a platform-internal feature, and I think there's a huge benefit to being able to essentially treat Cloudron as your authoritative directory / user store and leverage it for SSO with SaaS and other strictly off-host products.