JFYI,
way too much text, so I skipped reading it.
1 Like
I think you’re “drooling” for this - a nightmare for almost ALL my clients!
“sync User Identities with external third party tools” is probably illegal in Europe for almost everything!
Only a really stupid enterprise or state entity would opt for “Microsoft Authentification”, but it’s probably a sure way to get more chinese “readers”…
And starting the pointing game when things go south. No Account Provider wants to have responsibility when a third party has “write” permissions… So SCIM becomes the default “blame boy”, whether true or not.
This then actually becomes the major problem, not a “feature”:
“iregardless where it was updated from”
I still see NO NEED for any of this in the SME (small, medium enterpises) market.
I actually do see major faults in this logic…
Introducing “new” tools no SME has a need to use, willl introduce new risks, wrongly configured services, etc… Most of these errors will occur on the extreme low end side, users with less budget, know-how and/or experience, often under the mistaken concept, this new tool will make it possible to use this with no budget or know-how…
So more “free” support on subjects not normally covered…
This all sounds like a company with 2 employees, but on the Organigram, there are twenty plus departments…
Nethserver is a platform aimed at Small and Medium Enterprises, Home Users, not for globally operating enterprises or large cloud entities…
My two glowing pieces of coal
Andy
Avocatus Diabolis
2 Likes
Well, absolute statements like this will usually be wrong, but I think this really is the question for me as well: Martin, what benefit do you see from SCIM for an organization with, say, no more than 50 users? Or maybe no more than 20? Sure, it looks like it’s teh new hawtness, but what real benefit does it bring?
I see two major features in your post:
- “sync user identities with external third party tools”, and
- “more than one identity provider”
Leaving aside the question of whether and under what circumstances this is legal (silly EU and their GDPR), why do you see it as being desirable? In particular, why do you see it as desirable for a small organization, which is the target market (AFAIK) for NS? Because maybe my imagination just sucks, but I can’t really see a reason that either of these would be beneficial in that setting.
This is completely impractical IMO. As you say, it would need to be deeply integrated into the system, which would almost certainly take a great deal of work. I’d think there would need to be a very strong reason to duplicate that work for a second (or third, or whatever) SSO system.
I’ve seen some of the Neth folks say they intend to have an official SSO system (Authentik, IIRC). It makes sense, all other things being equal, to use as full-featured a system as possible–surely it ought to support OIDC, SAML, and CAS. Maybe there’s a good reason to spec SCIM support as well, and if Authentik is the tool they’re using, it (per your post) would fit the bill. But the question remains, what major benefit(s) does this bring to the small organization?
the sentiment son more than correspond to the fact that.
- Nethserver will not be used by one or 2 by maybe thousands of organizations.
- While NEthserver Dev team will chose or decide the identity provider to ue, the community is able to implement a community supported, or the one they prefer. the same way we have webtop and Sogo, they both do the same function, but why do we have webtop, sogo and webmail. we could have easily had webtop only.
- All large Enterpises begin as SME, including Microsoft, Oracle, google and all the other, even recently the likes of Notion, Trello(before acquisition) and others.
What NEthserve ris offering the SME, is Standard for the Coporates to the SME, otherwise no small SME wants to manage their own mail server, or file server etc, they would rather outsource or buy MS365.
Coming back to my industry, an average small SME in the IT and Software Space uses an average of 20 Tools.
- Slack and its brothers for communication
- github and its cousings, for repo
- a wiki for their softwares and tools
- email system and server
- accounting software
- CRM system(assuming they have a strong marketing and sales department)
- Internal computers and logins,
- Servers managing their websites and codes
- login to their websites
- Automation tools like MAke, N8n and zapier
- Bulk SMS/ email marketing solution and systems
- API integration platforms, eg(Paystack,paypal,stripe etc)
- Website monitoring (could be google, matomo or piwik pro)
- Product monitoring (posthog, and others)
- Data tools and maybe data aggregation tools (Assuming they crunch alot of data)
- Database manageemnt tools and similar
- Design and prototyping tools (Figma, Octopus.do, )
(18) Possibly a password manager somewhere
This is just a hypothetical scenario for the small IT firm, the SME as you call it.
is NEthesis and SME or an Enterprise, i know they are using almost the given number of tools
github, docker, discourse, dokuwiki, trello, figma, mattermost, maybe nextcloud, maybe
Where does the SME level end?
Some of the tools could be easily replaced by one tool.
MS365 will replace a huge number of the tools, Azure subscription as well, a zoho One subscription for $50 per user per month, could replace, alot more others
but still there will be some other pain point areas and tools that still dont fit the bill. Maybe an Oracle or SAP subscription could solve.
either way, for an organization to maintain some level of control in all these tools, they need an identity manager, AD fits the bill, but lets be honest, AD was not designed for the cloud.
thats why we have OIDC, OAUTH2, SAML and cousins, now everyone seems to be phasing out SAML, in favour of SCIM, do we not want to support SCIM, just because, hell no, its like saying, lets not support Lets encrypt because there are commercial and self signed certs that would still serve the job.
@danb35 i am guessing you’re not in the corporate enterprise category, if so, then why were you interested in sso for ssh authentication?
While SCIM can compliment AD at the moment, in the near future it may replace or phase it out completely.
Implementing an SSO module that does not support SCIM or has not immediate plans for supporting SCIM, if SCIM is not built-in into nethserver, i am sure to say would be a wasted effort, and in the near future, you might be forced to come back to the drawing board.
As with all things, not everyhting is mandatory. after all NEthserver 7 has operated perfectly ok without SSo Module untill @danb35 gave us LemonLdapNG
i will be honest, the first real productive use case on my end of SSO, has been with LLNG, courtesy of danb module.
But as i have used it, gotten accustomed to it, and learnt a lot more about its implementation, and how we can as well implement in the software’s we are building, the more i have the need for more.
Operating from Africa, and in a country where our exchange rate to the dollar has increase 60% in less than 6 months, i know the pain of paying for subscriptions in every tools you need to use, especially if the pricing model is in dollars, and designed not for the African market I try to the best of my ability to squeeze every cent out of a dollar.
While $50 on your end could only afford a cup of coffee, on my end its able to pay an entire month Rent somewhere, or even not so fast internet for use in the Office
I asked a simple question. You used almost 800 words to not only not answer it, but mostly to not say anything even related to it. I guess that’s up to you–and I’m certainly not the person you need to convince–but if you want SCIM support in Nethserver, I think it’s a question you need to be able to clearly answer. Unless it’s just obvious to everyone but me, which I guess is possible, but that doesn’t seem to be the case here.
1 Like
A very, very narrow view of things and real life.
Of my 30+ clients, none do programming, so Slack, Mattermost or typically any software with “agile” in it’s description, almost always refering to “agile” programming, and almost “cult”-like!
Some are in IT, but services, and don’t need programming tools.
Maybe in Africa, Asia and South America, but herearounds, start spamming, and you’re blacklisted.
No one want’s spamming except spammers!
All the fake marketspeak of these guys: “Leads”: Any stolen E-Mail becomes a lead is simply NOT true.
Maybe more important as to the relevance of an “IT company” as a typical SME:
How many would potentially choose NethServer, and how many would opt to do their own, using Debian, Ubuntu or even a BSD variant to run their choice ot stuff. I am talking about guys with Know-How…
If they don’t have know-how, they simply won’t “grow” and thus will never become an Enterprise!
AFAIK, the most NethServer users are in Europe, closely followed by North and South America.
Africa and Asia are last on the lists.
I think @alefattorini could confirm this.
My 2 cents
Andy
1 Like
Let’s be honest here:
Exactly SAP and Oracle are the very typical tools an Enterprise uses on site, as these handle very confidential data.
Oracle does have some use in big data handling, but then again, this is an area which doesn’t need an Identity Manager, as this data is only for a small circle of people. On top of it, it’s an entirely different set of shoes than the typical ERP in large organisations / enterprises.
My 2 cents
Andy
1 Like
If you’ve gotten used to having a SSO tool,and are into programming (also for clients) I don’t see why or what stops you from implementing your own VM with a Debian or whatever OS, and the SSO of your choice, and using that to couple the AD or LDAP in NS8 with whatever tools need SSO integration for your business.
Can you give an answer to this?
Without an answer, I’ld have to assume the two "L"s… , either lazyness, or lack of knowhow.
I also do not think you’ve ever run into a “race condition” with 2-way sync of Identity, different restrictions of password complexity or any of the plentiful headaches SSO can bring.
It can easily turn out to be a case of too many cooks ruin the brew!
Most SSO systems typically use one way sync exactly because of this, and very strict rules…
Sorry for being so harsh, but as both Dan and LayLow have mentionned, very, very long winded, without any real statement in all those words. Where’s the beef?
My 2 cents
Andy
1 Like
Actually, i can, and have done so, the same with all the other tools,
its posssible to deploy Nextcloud in a normal cpanel, its possible to deploy zammad in a normal cpanel, its possible and actually easy to deploy vaultwarden using coolify,
Webmail is already the default webmail client for 90% hosting control panels.
Email, Zimbra, can do, recently someone posted zitadel, there is now carbonio etc.
its not a question of if it spossible or not to deploy on other platfors, in some cases, it could be even easier to do so, its a question of how do we build nethserver into a prodcut that most SME would want to use,
Someone may chose to use nethserver, just because it implements nextcloud better, someone else, because they need AD, another person because it has Webtop or mail server, etc.
if all is set in stone, why then did the developers go through alot of trouble to implement community nethforge repo.
Why does it have a module system, they could have monolith built the thing to do just nextcloud, AD and the likes, Why did they choose to seprate firewall from main Nethserver.
its because they wanted NS to grow beyond firewall, and wanted the community to be engaged and contribute.
otherwise we’d only have nethrepo only, and thats it.
this could actually be a very wonderful reason why someone might want to choose nextcloud.
it possible to install KVM and virtual things inside linux, why do you use proxmox.
there is no beef, sharing is caring. everyone in the community has a part to contribute.
for example, i have not generally tested NextSecurity because, i dont know much about firewall,s and wouldn’t know if something is a feature or a bug, i use the bare minimum configs… but for waht i know, i stick my head in.
Well, AFAIK, you were the only one besides Dan using his SSO productively.
I do not see much positive feedback on any of your SSO posts…
SSO is an interesting subject, I’ve been dealing with SSO for over 20 years, so maybe I do have some experience in this subject.
Yet it was never for an SME, it was always only for BIG enterprises, who had the small change needed to implement all the details well in such tools.
IMHO, the interest in this community / forum for SSO on NS8 seems extremly low. The general consensus seems to be anyone who needs SSO is free to create a module / container / VM to handle the job.
I’m using the word “seems” as I don’t have any polling stats nor actual data from the forum system (Discourse). I’m judgeing from Feedback in the Forums and my memory on the Posts…
I don’t think a lack of knowhow should enable a fool to dabble with things he doesn’t understand.
It’s like allowing a common user to run a mail system. It will become a spam gateway, that’s all!
Nothing wonderful about that!
The most dangerous fools are the ignorant ones!
KVM doesn’t handle Backups lkie PBS does with Proxmox! Very simple!
As a commercial supplier of services, it’s a BIG advantage to use commercial, supported tools. KVM alone is something for freaks. Proxmox is here on a different league. And yes, all my clients use a paid license for Proxmox…
→ A very narrow view of the world…
I do hope that’s not a continental issue, having a narrow minded view of the world.
As I do not support SSO on NethServer NS8 specifically, I will ignore future posts on this subject as too time consuming and leading nowhere…
Over and out!
No hard feelings intended, but my personal opinion.
And to be honest, I would drop NethServer, if release is delayed due to SSO, a Feature that was never part of NethServer…
After RedHat’s betrayal and lying, I’m a bit susseptible on such issues!
My 2 cents
Andy
1 Like
I’m a big proponent of SSO. I’ve put no small amount of work into making it work with Nethserver. And if Nethesis are going to put SSO into NS8 (as they’ve mentioned up-topic they intend to), and SCIM is a growing standard for SSO, I’d just as soon, all other things being equal, they work with a product that includes it rather than one that doesn’t.
But Martin, you seem to be putting a pretty high priority on SCIM. So, to repeat the question I asked back in October (and again earlier this evening), why? What does it bring to the table–in the context of a small organization, which is what NS8 is designed to serve–that existing protocols don’t?
AWStats shows about 60 downloads of my RPM between 2022 and 2023. Hardly a ringing endorsement (automx, self-service-password, and acme-dns are all more popular), but it does tend to suggest there are other users.
But it’s also important to keep in mind that, even with my module, LLNG isn’t the easiest thing to configure. I’d expect interest would be a bit higher in a better-integrated solution.
You mention that SSO tends to be reserved for big business. I’m not sure how accurate that is any more, with as popular as “Log in with Google/Facebook/Microsoft/GitHub” is becoming (all of which are a form of SSO, but remotely hosted), but even leaving that aside, I think there’s a definite place for it in the small organization as well. The IAM piece of it wouldn’t be as relevant–you’d most likely have all users have access to all, or at least most, of the services on the server. But given that that’s the case, it seems silly for the same user to have to log in separately to SOGo, Nextcloud, and Mattermost (to give three examples), when all three are running on the same server for the same organization. And I think that’s a feature that would be viewed as beneficial by lots of users, even if most wouldn’t put a lot of work into making it happen. Even for a home environment this can be helpful.
I’m agnostic as to which solution the devs implement, and I’m far from sold on SCIM. But it looks like the devs do plan to implement a SSO system, and if they do that right that can be a pretty significant convenience for users of the server.
1 Like
With SCIM, user identities can be created directly in a system like Keycloack, or withing AD, the way NS does it, or even the user created in the accounting software can be imported into the identity manager.
if my HR manageronly has access to the hr system and a new employee is added, the user is created into SCIM as well, and IT is happy.
Ulike an email needs to be sent to IT to create the new user. when a user is fired by HR, they are disabled, and are deprovisioned in SCIM
SCIM is a REST and JSON-based protocol that defines a client and server role.
A client is usually an identity provider (IDP) like LLNG, that contains a robust directory of user identities
A service provider (SP) is usually a SaaS app, like Slack
that needs a subset of information from those identities.
When changes to identities are made in the IdP, including create, update, and delete, they are automatically synced to the SP according to the SCIM protocol. The IdP can also read identities from the SP to add to its directory and to detect incorrect values in the SP that could create security vulnerabilities.
For end users, this means that they have seamless access to applications for which they’re assigned, with up-to-date profiles and permissions.
SInce its Restful, its easy to Implement, even NS can adopt it, for NEthserver based systems, like Mail, NEthvoice and others.
Some apps can do what is called “Just in time access/provisioning” when logging in via Keycloack/LLNG (OpenId Connect) where it will create a new user and update it with the information received from Keycloack/LLNG
Where all of the provisioning in OpenId Connect happens when you login, SCIM does it automatically in the background.
So for user management SCIM have a handful of advantages over Keycloack/LLNG (OpenId Connect)
- It creates the user before they login, as an example this allows you to assign “tasks” or similar to the user before they login the first time
- It deletes the user again
- It can create and update roles and groups
The combination of Keycloack/LLNG and SCIM gives you the best coverage of user identity management in a third party application.
SCIM is a communication standard,
While SCIM and single sign-on (SSO) work together, each serves a different purpose. SCIM provides an easy way to provision users’ access across multiple domains, whereas SSO performs SCIM authentication by verifying users’ credentials.
What Is SCIM Provisioning? How It Works, Benefits, and More | StrongDM
@danb35 i have explained countless times these principals, and i am left wondering when you say i have not explained why it makes sense.
No one is questioning the function or details of SCIM or SSO, there are more than enough documents online covering that.
“What sense does it make for a SME?”, in your view, is the question being asked.
I still do not see any advantage for the typical small SME.
You talk about My HR Manager…
80-90% of my SME clients don’t actually have departments… That’s all under “Administration”, including Bookkeeping, HR and other “cost centers”…
Real Life…
Maybe African startups and small to medium Enterprises like 5 people companies have dedicated HR and Marketing departments?
SME do have fluctuations, true. But then again, not that many, usually.
Too much overhead bloat?
My 2 cents
Andy
Andy understands what I’m saying here. To put it in language I used when I worked in sales, you’re talking in terms of “features,” while I’m asking in terms of “benefits.” OK, SCIM can do these things. Great. Why does a small organization care? So, when you say:
I say, so what? What’s the practical benefit of this?
So the first time one of these users logged into Slack, for example, they could have certain tasks assigned (presumably something along the lines of building their profile). This can’t be done using OIDC?
But you can do that with any auth system. What makes SCIM different here?
I’m beating the drum of “a small organization,” because that’s who I understand NS to be designed for. And the user-management needs of an organization with a few dozen users are going to be very different from those of one with several hundred or thousand.
1 Like
if you’re putting it in that sense, then an SME does not need a SMB server, NEtiher do they need AD, and all other things.
I have worked and work with organization that my annual turnover is daily petty cash for them, but they dont have AD, don’t have SSO, they use cpanel with webmail for email, thats it, and everything is done over email.
there is never a question of Need, over non need. it is a question of industry best practices brought in to get things done effectively.
BEfore git, softwares were still being built, but albeit was abit harder.
without SCIM, people will still operate, just like they have operated without SSO before,
its a question of understanding the value propositions presented by a technology, and applying the same.
I never knew i needed glpi, infact, it would seem that my small organization did not need such a tool,
but when licenses, and domains begin to expire, and other systems begin to fail, only to realise the correlations between service A an B.
In Kenya, we have a platform called M-Pesa, its literally money, works with feature phone, functions like a bank, but is more than a bank. All you need to send money to someone in Kenya is their phone number, dont even ask account number, send to their phone, they will get it.
if you asked if people needed it, no one would say it made sense, but now, we can not live without it.
We dont need SCIM, true, we can work without, but i bet in the near future, we will need it.
short answer, I may not really be in a better position to explain by words its importance, but i see the vision.
same way nobody needed an Iphone, we had blackberry, but now… (story for another day)
As a New platform (NS8) we need to also anticipate the future of small business operations and management. and new trends. that’s why podman was used. and we now have to re-build all previously working modules.
So, i will not attempt again to explain why its needed or is important,(because i am not equiped to do so) but if i lean something new about the project, i will sure do share, it will also be great for my reference and for the discussion reference.
1 Like
…which is why I didn’t ask about “need.” I asked about “benefit.”
I really can’t tell if you’re being deliberately obtuse, or if you just can’t understand what I’m asking. I think my question is pretty clear, and I think I can normally communicate pretty well in writing, but you have at this point written several thousand words that just don’t address it. At all. So it seems that
…and as a result this discussion has become non-productive. But here’s what I’m seeing:
- You want Nethesis to prioritize SCIM in NS8
- You can’t, or won’t, explain what benefit SCIM brings to the organizations NS is intended to serve
I think you’ll have a much better chance of accomplishing your goal if you can correct the second point. Good luck.
It’d probably be worth working toward a shared definition of “SME.” In .eu, this includes a business with up to 250 employees. In .us, it varies with the industry, but can be as many as 1500 employees. It’s my perception that NS’ target market is on the smaller side of that–I’d mentioned <= 50 users, which would be a “small business” under the EU definition–but they don’t clearly state that anywhere I can see, and specifically include “medium enterprise” on their home page.
A related question would be “what kind or size of organizations are using Nethserver,” as there could be a discrepancy between their target market and the actual user base. But if they’re really targeting organizations with (up to) hundreds of users, a more advanced user management/SSO/IAM tool is going to make a lot more sense than if they’re only aiming at a few dozen at most.
Hi @danb35
AFAIK, in EU / Switzerland it’s 2-500 Users “Officially”.
I am aware of some NethServer Installations in South America and Asia with more than a few hunderd users, some over a thousand. But either they are the exception to the rule, or admins of such systems don’t need / show up on the Forum - or very rarely…
The larger, more dispersed an organization is, the more non-MS tools / programs / apps they use, the more they benefit from SSO.
My 2 cents
Andy
I think this is the big issue, and it also ties well with what NS is–it’s a way for smaller organizations to self-host stuff that they’d otherwise be using MS365/Google Apps for. Larger organizations don’t so much need the all-in-one server; they have the IT staff to set up a webserver, and a mail server, and whatever else they need (though “the cloud” is pretty popular even with big business, it seems). But a ten-man shop isn’t going to have that resource, so they either put their information “in the cloud” (i.e., on someone else’s computer, so they give up control over their data), or they need a product that can handle these things out of the box in a robust and secure manner. And that’s what NS/SME/e-smith do.
SSO isn’t essential in this environment, but it is more secure (applications never handle user credentials), and it’s surely more convenient (in the ideal case, you only need to sign in once to use any tool, locally- or remotely-hosted, that your organization uses). That’s why I’ve been a cheerleader for SSO for a while, and really hope to see NS move forward to implement it and integrate it into the system.
SCIM continues to puzzle me, though–I see lots of buzzwords, but very little “so what.”
@danb35 let me see if this helps open up your mind to SCIM and if it makes sense to you.
IF my company has the 20 tools that we are using, and we have SCIM in our identity provider, be it nethserver, or keycloack or llng, and the users make use of SAML, or OIDC to login to any of the platform s we have as a company.
If, when a new user joins the organization, and we know they need access to Github, slack, salesforce, etc.
from within our SAML dashboard, we can assign which of these tools, these users can login into, and therefore have their accounts pre-provisioned for them.
So when they go to GitHub or slack and login, they already have pre-provisioned accounts and all parameters settings assignments etc done for them.
so they would be automatically invited to the tool, and to whatever groups, task etc, created in that, as per the support functions of the said tool
if in one instance, this user does not need to have access to GitHub anymore, but they still need to have access to all the others,
then from within the IDP, we can go and dis-assign the user from that particular application.
it is this kind of granular control and centralised managemnt that SCIM adds to the IDP capabilities, that was not there before. Sure, you can still use SAML, sure you can still use OIDC etc, but SCIM adds to them, not take away, not replace.
the forceable long term effect is that, because there is some compatibility in sense of what SCIM offers with Active directory and or LDap, they may end up being replaces/Phased out by SCIM being the holder of user accounts.