I have been brainstorming on these, and felt Maybe i should share them in the community in the Open,
They could share some insight on the possible SSO Modules.
the new Microsoft Authentication service for enterprise syncs with SCIM
So basically, pretty much soon, to be able to sync User Identities with external thrisd party tools, you might be better oFF using SCIM.
Plus, if i am not wrong, with SCIM, you could have more than one Identity provider, with each records being updated, iregardless where it was updated from.
the newest of the Bunch,
looking to disrupt the SSO market with its solution and its implementation
Not sure about its interfaces, (no admin interface yet)
i think you can grow with it better and easier, than the others.
Has replication built in
So now that we have 3 left, Jansen, KANIDM and ZITADEL, Jansen has SCIM, but both kanidm and zitadel dont have SCIM, but will support it,
i think KANIDM might support it faster than Zitadel.
after reading through the ZITADEL documentations, i can see tha it is possible to Implement the ZITADEL LDAP configurations during installation and even with the provided Docker compose,
Jansen which was formerly called Gluu, has all the bells and whistles required.
PS, i don’t think there any Fault in Supporting More than one SSO Module in NS8, after all Nethserver is a platform
just the initial Official module Needs to check alot of boxes, and since there was consideration for possible implementing own interface, i think some of the SSO platforms, make it easier to do so, or even use the one with no available admin interface.
others makes more sense to just use as is. overall there are others that are simple enough that the community might implement a Community Module for them, LEaving the Dev team with an easier option for choices,
or rather the dev could choose, with Implementations as official, and which ones as community
others are easy to use, while others extremely complex
I think you’re “drooling” for this - a nightmare for almost ALL my clients!
“sync User Identities with external third party tools” is probably illegal in Europe for almost everything!
Only a really stupid enterprise or state entity would opt for “Microsoft Authentification”, but it’s probably a sure way to get more chinese “readers”…
And starting the pointing game when things go south. No Account Provider wants to have responsibility when a third party has “write” permissions… So SCIM becomes the default “blame boy”, whether true or not.
This then actually becomes the major problem, not a “feature”:
“iregardless where it was updated from”
I still see NO NEED for any of this in the SME (small, medium enterpises) market.
I actually do see major faults in this logic…
Introducing “new” tools no SME has a need to use, willl introduce new risks, wrongly configured services, etc… Most of these errors will occur on the extreme low end side, users with less budget, know-how and/or experience, often under the mistaken concept, this new tool will make it possible to use this with no budget or know-how…
So more “free” support on subjects not normally covered…
This all sounds like a company with 2 employees, but on the Organigram, there are twenty plus departments…
Nethserver is a platform aimed at Small and Medium Enterprises, Home Users, not for globally operating enterprises or large cloud entities…
Well, absolute statements like this will usually be wrong, but I think this really is the question for me as well: Martin, what benefit do you see from SCIM for an organization with, say, no more than 50 users? Or maybe no more than 20? Sure, it looks like it’s teh new hawtness, but what real benefit does it bring?
I see two major features in your post:
“sync user identities with external third party tools”, and
“more than one identity provider”
Leaving aside the question of whether and under what circumstances this is legal (silly EU and their GDPR), why do you see it as being desirable? In particular, why do you see it as desirable for a small organization, which is the target market (AFAIK) for NS? Because maybe my imagination just sucks, but I can’t really see a reason that either of these would be beneficial in that setting.
This is completely impractical IMO. As you say, it would need to be deeply integrated into the system, which would almost certainly take a great deal of work. I’d think there would need to be a very strong reason to duplicate that work for a second (or third, or whatever) SSO system.
I’ve seen some of the Neth folks say they intend to have an official SSO system (Authentik, IIRC). It makes sense, all other things being equal, to use as full-featured a system as possible–surely it ought to support OIDC, SAML, and CAS. Maybe there’s a good reason to spec SCIM support as well, and if Authentik is the tool they’re using, it (per your post) would fit the bill. But the question remains, what major benefit(s) does this bring to the small organization?
the sentiment son more than correspond to the fact that.
Nethserver will not be used by one or 2 by maybe thousands of organizations.
While NEthserver Dev team will chose or decide the identity provider to ue, the community is able to implement a community supported, or the one they prefer. the same way we have webtop and Sogo, they both do the same function, but why do we have webtop, sogo and webmail. we could have easily had webtop only.
All large Enterpises begin as SME, including Microsoft, Oracle, google and all the other, even recently the likes of Notion, Trello(before acquisition) and others.
What NEthserve ris offering the SME, is Standard for the Coporates to the SME, otherwise no small SME wants to manage their own mail server, or file server etc, they would rather outsource or buy MS365.
Coming back to my industry, an average small SME in the IT and Software Space uses an average of 20 Tools.
Slack and its brothers for communication
github and its cousings, for repo
a wiki for their softwares and tools
email system and server
accounting software
CRM system(assuming they have a strong marketing and sales department)
Internal computers and logins,
Servers managing their websites and codes
login to their websites
Automation tools like MAke, N8n and zapier
Bulk SMS/ email marketing solution and systems
API integration platforms, eg(Paystack,paypal,stripe etc)
Website monitoring (could be google, matomo or piwik pro)
Product monitoring (posthog, and others)
Data tools and maybe data aggregation tools (Assuming they crunch alot of data)
Database manageemnt tools and similar
Design and prototyping tools (Figma, Octopus.do, )
(18) Possibly a password manager somewhere
This is just a hypothetical scenario for the small IT firm, the SME as you call it.
is NEthesis and SME or an Enterprise, i know they are using almost the given number of tools
github, docker, discourse, dokuwiki, trello, figma, mattermost, maybe nextcloud, maybe
Where does the SME level end?
Some of the tools could be easily replaced by one tool.
MS365 will replace a huge number of the tools, Azure subscription as well, a zoho One subscription for $50 per user per month, could replace, alot more others
but still there will be some other pain point areas and tools that still dont fit the bill. Maybe an Oracle or SAP subscription could solve.
either way, for an organization to maintain some level of control in all these tools, they need an identity manager, AD fits the bill, but lets be honest, AD was not designed for the cloud.
thats why we have OIDC, OAUTH2, SAML and cousins, now everyone seems to be phasing out SAML, in favour of SCIM, do we not want to support SCIM, just because, hell no, its like saying, lets not support Lets encrypt because there are commercial and self signed certs that would still serve the job.
@danb35 i am guessing you’re not in the corporate enterprise category, if so, then why were you interested in sso for ssh authentication?
While SCIM can compliment AD at the moment, in the near future it may replace or phase it out completely.
Implementing an SSO module that does not support SCIM or has not immediate plans for supporting SCIM, if SCIM is not built-in into nethserver, i am sure to say would be a wasted effort, and in the near future, you might be forced to come back to the drawing board.
As with all things, not everyhting is mandatory. after all NEthserver 7 has operated perfectly ok without SSo Module untill @danb35 gave us LemonLdapNG
i will be honest, the first real productive use case on my end of SSO, has been with LLNG, courtesy of danb module.
But as i have used it, gotten accustomed to it, and learnt a lot more about its implementation, and how we can as well implement in the software’s we are building, the more i have the need for more.
Operating from Africa, and in a country where our exchange rate to the dollar has increase 60% in less than 6 months, i know the pain of paying for subscriptions in every tools you need to use, especially if the pricing model is in dollars, and designed not for the African market I try to the best of my ability to squeeze every cent out of a dollar.
While $50 on your end could only afford a cup of coffee, on my end its able to pay an entire month Rent somewhere, or even not so fast internet for use in the Office
I asked a simple question. You used almost 800 words to not only not answer it, but mostly to not say anything even related to it. I guess that’s up to you–and I’m certainly not the person you need to convince–but if you want SCIM support in Nethserver, I think it’s a question you need to be able to clearly answer. Unless it’s just obvious to everyone but me, which I guess is possible, but that doesn’t seem to be the case here.
Of my 30+ clients, none do programming, so Slack, Mattermost or typically any software with “agile” in it’s description, almost always refering to “agile” programming, and almost “cult”-like!
Some are in IT, but services, and don’t need programming tools.
Maybe in Africa, Asia and South America, but herearounds, start spamming, and you’re blacklisted.
No one want’s spamming except spammers!
All the fake marketspeak of these guys: “Leads”: Any stolen E-Mail becomes a lead is simply NOT true.
Maybe more important as to the relevance of an “IT company” as a typical SME:
How many would potentially choose NethServer, and how many would opt to do their own, using Debian, Ubuntu or even a BSD variant to run their choice ot stuff. I am talking about guys with Know-How…
If they don’t have know-how, they simply won’t “grow” and thus will never become an Enterprise!
AFAIK, the most NethServer users are in Europe, closely followed by North and South America.
Africa and Asia are last on the lists.
I think @alefattorini could confirm this.
Exactly SAP and Oracle are the very typical tools an Enterprise uses on site, as these handle very confidential data.
Oracle does have some use in big data handling, but then again, this is an area which doesn’t need an Identity Manager, as this data is only for a small circle of people. On top of it, it’s an entirely different set of shoes than the typical ERP in large organisations / enterprises.
If you’ve gotten used to having a SSO tool,and are into programming (also for clients) I don’t see why or what stops you from implementing your own VM with a Debian or whatever OS, and the SSO of your choice, and using that to couple the AD or LDAP in NS8 with whatever tools need SSO integration for your business.
Can you give an answer to this?
Without an answer, I’ld have to assume the two "L"s… , either lazyness, or lack of knowhow.
I also do not think you’ve ever run into a “race condition” with 2-way sync of Identity, different restrictions of password complexity or any of the plentiful headaches SSO can bring.
It can easily turn out to be a case of too many cooks ruin the brew!
Most SSO systems typically use one way sync exactly because of this, and very strict rules…
Sorry for being so harsh, but as both Dan and LayLow have mentionned, very, very long winded, without any real statement in all those words. Where’s the beef?
Actually, i can, and have done so, the same with all the other tools,
its posssible to deploy Nextcloud in a normal cpanel, its possible to deploy zammad in a normal cpanel, its possible and actually easy to deploy vaultwarden using coolify,
Webmail is already the default webmail client for 90% hosting control panels.
Email, Zimbra, can do, recently someone posted zitadel, there is now carbonio etc.
its not a question of if it spossible or not to deploy on other platfors, in some cases, it could be even easier to do so, its a question of how do we build nethserver into a prodcut that most SME would want to use,
Someone may chose to use nethserver, just because it implements nextcloud better, someone else, because they need AD, another person because it has Webtop or mail server, etc.
if all is set in stone, why then did the developers go through alot of trouble to implement community nethforge repo.
Why does it have a module system, they could have monolith built the thing to do just nextcloud, AD and the likes, Why did they choose to seprate firewall from main Nethserver.
its because they wanted NS to grow beyond firewall, and wanted the community to be engaged and contribute.
otherwise we’d only have nethrepo only, and thats it.
this could actually be a very wonderful reason why someone might want to choose nextcloud.
it possible to install KVM and virtual things inside linux, why do you use proxmox.
there is no beef, sharing is caring. everyone in the community has a part to contribute.
for example, i have not generally tested NextSecurity because, i dont know much about firewall,s and wouldn’t know if something is a feature or a bug, i use the bare minimum configs… but for waht i know, i stick my head in.
Well, AFAIK, you were the only one besides Dan using his SSO productively.
I do not see much positive feedback on any of your SSO posts…
SSO is an interesting subject, I’ve been dealing with SSO for over 20 years, so maybe I do have some experience in this subject.
Yet it was never for an SME, it was always only for BIG enterprises, who had the small change needed to implement all the details well in such tools.
IMHO, the interest in this community / forum for SSO on NS8 seems extremly low. The general consensus seems to be anyone who needs SSO is free to create a module / container / VM to handle the job.
I’m using the word “seems” as I don’t have any polling stats nor actual data from the forum system (Discourse). I’m judgeing from Feedback in the Forums and my memory on the Posts…
I don’t think a lack of knowhow should enable a fool to dabble with things he doesn’t understand.
It’s like allowing a common user to run a mail system. It will become a spam gateway, that’s all!
Nothing wonderful about that!
The most dangerous fools are the ignorant ones!
KVM doesn’t handle Backups lkie PBS does with Proxmox! Very simple!
As a commercial supplier of services, it’s a BIG advantage to use commercial, supported tools. KVM alone is something for freaks. Proxmox is here on a different league. And yes, all my clients use a paid license for Proxmox…
→ A very narrow view of the world…
I do hope that’s not a continental issue, having a narrow minded view of the world.
As I do not support SSO on NethServer NS8 specifically, I will ignore future posts on this subject as too time consuming and leading nowhere…
Over and out!
No hard feelings intended, but my personal opinion.
And to be honest, I would drop NethServer, if release is delayed due to SSO, a Feature that was never part of NethServer…
After RedHat’s betrayal and lying, I’m a bit susseptible on such issues!
I’m a big proponent of SSO. I’ve put no small amount of work into making it work with Nethserver. And if Nethesis are going to put SSO into NS8 (as they’ve mentioned up-topic they intend to), and SCIM is a growing standard for SSO, I’d just as soon, all other things being equal, they work with a product that includes it rather than one that doesn’t.
But Martin, you seem to be putting a pretty high priority on SCIM. So, to repeat the question I asked back in October (and again earlier this evening), why? What does it bring to the table–in the context of a small organization, which is what NS8 is designed to serve–that existing protocols don’t?
AWStats shows about 60 downloads of my RPM between 2022 and 2023. Hardly a ringing endorsement (automx, self-service-password, and acme-dns are all more popular), but it does tend to suggest there are other users.
But it’s also important to keep in mind that, even with my module, LLNG isn’t the easiest thing to configure. I’d expect interest would be a bit higher in a better-integrated solution.
You mention that SSO tends to be reserved for big business. I’m not sure how accurate that is any more, with as popular as “Log in with Google/Facebook/Microsoft/GitHub” is becoming (all of which are a form of SSO, but remotely hosted), but even leaving that aside, I think there’s a definite place for it in the small organization as well. The IAM piece of it wouldn’t be as relevant–you’d most likely have all users have access to all, or at least most, of the services on the server. But given that that’s the case, it seems silly for the same user to have to log in separately to SOGo, Nextcloud, and Mattermost (to give three examples), when all three are running on the same server for the same organization. And I think that’s a feature that would be viewed as beneficial by lots of users, even if most wouldn’t put a lot of work into making it happen. Even for a home environment this can be helpful.
I’m agnostic as to which solution the devs implement, and I’m far from sold on SCIM. But it looks like the devs do plan to implement a SSO system, and if they do that right that can be a pretty significant convenience for users of the server.
With SCIM, user identities can be created directly in a system like Keycloack, or withing AD, the way NS does it, or even the user created in the accounting software can be imported into the identity manager.
if my HR manageronly has access to the hr system and a new employee is added, the user is created into SCIM as well, and IT is happy.
Ulike an email needs to be sent to IT to create the new user. when a user is fired by HR, they are disabled, and are deprovisioned in SCIM
SCIM is a REST and JSON-based protocol that defines a client and server role.
A client is usually an identity provider (IDP) like LLNG, that contains a robust directory of user identities
A service provider (SP) is usually a SaaS app, like Slack
that needs a subset of information from those identities.
When changes to identities are made in the IdP, including create, update, and delete, they are automatically synced to the SP according to the SCIM protocol. The IdP can also read identities from the SP to add to its directory and to detect incorrect values in the SP that could create security vulnerabilities.
For end users, this means that they have seamless access to applications for which they’re assigned, with up-to-date profiles and permissions.
SInce its Restful, its easy to Implement, even NS can adopt it, for NEthserver based systems, like Mail, NEthvoice and others.
Some apps can do what is called “Just in time access/provisioning” when logging in via Keycloack/LLNG (OpenId Connect) where it will create a new user and update it with the information received from Keycloack/LLNG
Where all of the provisioning in OpenId Connect happens when you login, SCIM does it automatically in the background.
So for user management SCIM have a handful of advantages over Keycloack/LLNG (OpenId Connect)
It creates the user before they login, as an example this allows you to assign “tasks” or similar to the user before they login the first time
It deletes the user again
It can create and update roles and groups
The combination of Keycloack/LLNG and SCIM gives you the best coverage of user identity management in a third party application.
SCIM is a communication standard,
While SCIM and single sign-on (SSO) work together, each serves a different purpose. SCIM provides an easy way to provision users’ access across multiple domains, whereas SSO performs SCIM authentication by verifying users’ credentials.
No one is questioning the function or details of SCIM or SSO, there are more than enough documents online covering that.
“What sense does it make for a SME?”, in your view, is the question being asked.
I still do not see any advantage for the typical small SME.
You talk about My HR Manager…
80-90% of my SME clients don’t actually have departments… That’s all under “Administration”, including Bookkeeping, HR and other “cost centers”…
Real Life…
Maybe African startups and small to medium Enterprises like 5 people companies have dedicated HR and Marketing departments?
SME do have fluctuations, true. But then again, not that many, usually.
Too much overhead bloat?
Andy understands what I’m saying here. To put it in language I used when I worked in sales, you’re talking in terms of “features,” while I’m asking in terms of “benefits.” OK, SCIM can do these things. Great. Why does a small organization care? So, when you say:
I say, so what? What’s the practical benefit of this?
So the first time one of these users logged into Slack, for example, they could have certain tasks assigned (presumably something along the lines of building their profile). This can’t be done using OIDC?
But you can do that with any auth system. What makes SCIM different here?
I’m beating the drum of “a small organization,” because that’s who I understand NS to be designed for. And the user-management needs of an organization with a few dozen users are going to be very different from those of one with several hundred or thousand.
if you’re putting it in that sense, then an SME does not need a SMB server, NEtiher do they need AD, and all other things.
I have worked and work with organization that my annual turnover is daily petty cash for them, but they dont have AD, don’t have SSO, they use cpanel with webmail for email, thats it, and everything is done over email.
there is never a question of Need, over non need. it is a question of industry best practices brought in to get things done effectively.
BEfore git, softwares were still being built, but albeit was abit harder.
without SCIM, people will still operate, just like they have operated without SSO before,
its a question of understanding the value propositions presented by a technology, and applying the same.
I never knew i needed glpi, infact, it would seem that my small organization did not need such a tool,
but when licenses, and domains begin to expire, and other systems begin to fail, only to realise the correlations between service A an B.
In Kenya, we have a platform called M-Pesa, its literally money, works with feature phone, functions like a bank, but is more than a bank. All you need to send money to someone in Kenya is their phone number, dont even ask account number, send to their phone, they will get it.
if you asked if people needed it, no one would say it made sense, but now, we can not live without it.
We dont need SCIM, true, we can work without, but i bet in the near future, we will need it.
short answer, I may not really be in a better position to explain by words its importance, but i see the vision.
same way nobody needed an Iphone, we had blackberry, but now… (story for another day)
As a New platform (NS8) we need to also anticipate the future of small business operations and management. and new trends. that’s why podman was used. and we now have to re-build all previously working modules.
So, i will not attempt again to explain why its needed or is important,(because i am not equiped to do so) but if i lean something new about the project, i will sure do share, it will also be great for my reference and for the discussion reference.
…which is why I didn’t ask about “need.” I asked about “benefit.”
I really can’t tell if you’re being deliberately obtuse, or if you just can’t understand what I’m asking. I think my question is pretty clear, and I think I can normally communicate pretty well in writing, but you have at this point written several thousand words that just don’t address it. At all. So it seems that
…and as a result this discussion has become non-productive. But here’s what I’m seeing:
You want Nethesis to prioritize SCIM in NS8
You can’t, or won’t, explain what benefit SCIM brings to the organizations NS is intended to serve
I think you’ll have a much better chance of accomplishing your goal if you can correct the second point. Good luck.
It’d probably be worth working toward a shared definition of “SME.” In .eu, this includes a business with up to 250 employees. In .us, it varies with the industry, but can be as many as 1500 employees. It’s my perception that NS’ target market is on the smaller side of that–I’d mentioned <= 50 users, which would be a “small business” under the EU definition–but they don’t clearly state that anywhere I can see, and specifically include “medium enterprise” on their home page.
A related question would be “what kind or size of organizations are using Nethserver,” as there could be a discrepancy between their target market and the actual user base. But if they’re really targeting organizations with (up to) hundreds of users, a more advanced user management/SSO/IAM tool is going to make a lot more sense than if they’re only aiming at a few dozen at most.
AFAIK, in EU / Switzerland it’s 2-500 Users “Officially”.
I am aware of some NethServer Installations in South America and Asia with more than a few hunderd users, some over a thousand. But either they are the exception to the rule, or admins of such systems don’t need / show up on the Forum - or very rarely…
The larger, more dispersed an organization is, the more non-MS tools / programs / apps they use, the more they benefit from SSO.
