this post was submitted on 22 Jan 2024
40 points (97.6% liked)

Selfhosted

39937 readers
378 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
40
question about self hosting SSO for multiple domains and services. (lemmy.world)
submitted 9 months ago by [email protected] to c/[email protected]
20 comments fedilink hide all child comments
 

Hello, everyone. I am planning to set up Single Sign-On (SSO). I wonder if I can use something like Red Hat SSO with two separate domains. I have one domain for Windows AD and one for Linux IDM. My idea is to use Red Hat SSO so that both domains will be able to access the same services. For example, I have one Nextcloud instance, and I would like users from both domains to use it with SSO.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 9 months ago (3 children)

Authelia is popular, as is Keycloak. I believe Red Hat develops Keycloak or at least has a hand in it.

I'm on this journey as well, figuring out what I'm going to use. Currently most of my services just use LDAP back to AD but I'm looking to do something more modern like SAML, oAuth or OpenID Connect so that I can simplify the number of MFA tokens I have.

Just as an anecdote you may find useful - Personally I used to run an Active Directory for Windows and FreeIPA for my Linux machines and have managed to simplify this to just AD. Linux machines can be joined, you can still use sudo and all the other good stuff while only having one source of truth for identity.

[–] [email protected] 2 points 9 months ago (1 children)

Keycloak = XML pain.

[–] [email protected] 2 points 9 months ago

Haven't come across any xml during my deployment so far

[–] [email protected] 2 points 9 months ago (1 children)

you can still use sudo and all the other good stuff while only having one source of truth for identity.

I am aware that linux devices can join the AD domain. The reasons i setup up FreeIPA/IDM is the linux specific rules I can make. Like the Sudo rules for example. As far as i am aware you can not do this with a windows domain controller.

[–] [email protected] 1 points 9 months ago (1 children)

Depends on your use case, but you can use some Group Policy Objects on Linux (at least with sssd). See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo

You can also grant sudo to AD group members in the sudoers file, which is how I've done it in a corporate setting.

I believe there are 3rd party ADMX templates you can add to your domain controllers to get more granular as well as additions to the AD schema, but I haven't gone that deep with it since between sssd and the sudoers file I can achieve what I need to.

[–] [email protected] 1 points 9 months ago

Arnt GPOs on Linux very limited? Anyway to get some form of "policys" working I was thinking of using Ansible and playbooks to manage that portion anyway. (Next project).

[–] [email protected] 1 points 9 months ago

Looking for a good guide on getting this setup via docker and AD LDAP, any pointers?