Menu
▾
▴
Re: [Unity-idm-discuss] Any plans for a PAM usable endpoint?
|
From: Krzysztof B. <go...@ic...> - 2015-01-20 09:45:28
|
Dear Jeroen, W dniu 19.01.2015 o 20:38, Jeroen Roodhart pisze: > Dear list, > > You probably get this asked a lot, but I'll try anyway :) > > We are considering Unity in hopes that it provides a way to tie many > identity and authorisation providers in such a way that it can be used > to provide system level (PAM) access to Linux/Unix servers (and > services such as iRODS). > > Are you considering developing say a LDAP/AD endpoint for Unity? Maybe not a lot, but you are right - such question was asked. And yes, I agree that LDAP endpoint is the best way to integrate Unity with PAM. That said such implementation is considered but pretty low on priorities list. This is because of minimal usefulness and very big effort to implement it. The root of all evil is that the most popular distributed authentication protocols - OAuth2/OIDC and SAML Web SSO - are web based by design. I.e. protocol spec assumes that a principal being authenticated uses web browser, dot. Yes, there is SAML ECP profile which would be suitable, also it is (I guess) possible to create non-browser login under OAuth umbrella, but the reality is that IdPs do not (widely) support anything like this. All in all LDAP-endpoint in Unity would allow you to perform authN against credential stored in Unity or against another LDAP server. Not much I'm afraid. Another option is to simulate web-browser in Unity so it will login on user's behalf but such approach is extremely hard to maintain and limited as IdP login forms do differ a lot. Best regards, Krzysztof |
