and thus the reason why we are making some noise about SSO and some variations of it into Nethserver8 before it becomes too mature to implement them in the fisrt place,
DO you now understand why it is important to do this at this stage?
If you have a ERP or CRM, most are based on RDBMS Relation Database Management Systems.
If your SCIM contains one more telephone number than your CRM database has fields for, than with each sync, you risk losing data!
Only you donât know if itâs an important number r not, that is not decided by youâŠ
Simple!
2 of you are pushing for this, all other users seem silent on this.
My opinion is still: After Release!
But why would anyone implement a software to handle its data like that?
check out multi faceteded ERP solutions like zoho, which has over a quadrillion apps, but their login process is very seamless.
now lets look at another example, checkout aruba cloud, their SSO implementation is pathetic (Customer support, different login, cloud manager, different user, account manager, different user, but all some can SSO directly to the other and whoosh)
actually the correct assesment would be, 2 of you are vocal about it.
in this community there are members who barely comemnt on anything unless they have issues.
others mostly comment when solving users issues, etc, everyone have thir strength and it what makes the community function as it does.
So youâre saying SCIM / SSO is not an issue for themâŠ
Thanks!
I do agree that SSO is the future.
BUT: We donât have a finished building yet, itâs still a building with scaffolding.
The decision has been made to use containerization, Iâm fine with that - Iâve been against native installs for several years nowâŠ
What exact functionality the âAuthâ container can be changed over time, like NS8 1.1 can have more than what NS7 had, easy. Like the options for backup in NS7 grew with time, thatâs software âevolvingâ in a positive wayâŠ
But donât waste valuable time delaying the building from going operational, by discussing the glass tinting in the penthouse appartment!
My 2 cents!
Andy
as i can for sure see its not an issue for you 
everyone use a software for different purposes. i have one instance of Nethserver which only handles AD and SSO, thatâs the only thing that server does, (you actually helped me set it up and i am forever grateful for that.)and it has VPN connection(@mrmarkuz helped on the VPNs) to all other servers that need AD, but for those that do not, thatâs why LLNG courtesy of @danb35 plays its role. so LLNG does its thing and its been extremely useful, but oh boy is it hard to configure it. would i work with a simple or better solution, sue thing.
Not every nife is suited for some job,s others require a sledge hummer,
Very, very true.
But âSledge Hammersâ (or their users) then arenât specifically in the club of âshootersââŠ
And shooters arenât usually members of the âhammersââŠ
SME and Service Providers arenât the same club!
And NethServer is still mainly geared for SME, Home Users and EnthusiastsâŠ
you are a service providers,
you offer the services to SME.
most SME dont know what they want untill they are told. you have no idea how many large SME have no firewall.
I have currenlt adopted a network to manage for an organization with over 2000(desktops and printers only) lets not even get to cameras, biometric kits and other endpoints, and they do not have a zabbix or any network documentation. at the moment, i even doubt they have an AD in place, but i am learning this things and advicing the IT manager as we move along.
2 Likes
Only in the sense that I provide knowhow, and services with their hardware.
I do not provide services for paying customers on any my servers at the moment.
â Most SME actually know basically what they need. Bookkeeping, Files, Printing, etcâŠ
But what specific tool does it best, thatâs where advice and experience helps them.
But all this has nothing to do with any cloud!
âNeedâ? No, I donât guess it doesâparticularly given that time is limited to get NS8 out the door before CentOS 7 goes EOL next year. But if it is in the cards, that means other design decisions need to be made appropriately. For example, the other software on the server needs to be able to integrate with some standard SSO protocolâSOGo can do this, for example, while I donât think Roundcube can. And it needs to be configured in a way that doesnât preclude its integration with SSHâlike Nextcloud should use the actual usernames as the user IDs, not the UUIDs that it does right now. And if NS8 is going to be clustered, that SSO login information should be automatically shared among cluster nodes. Even if SSO itself isnât there at release, the ground work needs to be there.
And no, AD/LDAP arenât SSO.
Iâm not addressing SCIM itself here; I know almost nothing about it.
2 Likes
Hi Dan
Iâm not saying LDAP/DA are SSO - theyâre not. But they are the predecessorsâŠ
And NS8 doesnât need anything not there in NS7 for starters, as said, it can come in later, if the planning has been done for codingâŠ
My 2 cents
Andy
especially the planning bit is important.
exactly my point, it may not be available imeddiately, it may not be made available on release, but at the initial stages, the ground work needs to be in place for when its to be done, that way, there is not alot of reinvention to be done,
similarly, there are things not in NS7 that should be included for
things like these.
I would like SSO also for WordPress.
On Top of These,
Also for reference:
Zitadel: ZITADEL âą Identity infrastructure, simplified for you
looks mature and promising,
Written in the same Language as NEthserver 8
i think zitadel and goauthentik are competing at almost equal levels.
KANIDM: Kanidm
it should be notedthat this does not yet support SCIM but is planned:
SCIM Implementation · Issue #211 · kanidm/kanidm (github.com)
but it has replication, which might be a plus for the new NS8 architecture
Also SAML is not yet supported, will not be supported untill 2.0 is released,
I also came accross this for implementing SCIM in any golang based project, elimity-com/scim: Golang Implementation of the SCIM v2 Specification (github.com)
1 Like
I have been brainstorming on these, and felt Maybe i should share them in the community in the Open,
They could share some insight on the possible SSO Modules.
the new Microsoft Authentication service for enterprise syncs with SCIM
SCIM synchronization with Microsoft Entra ID - Microsoft Entra | Microsoft Learn
Apple now Support SCIM:
Do more with Managed Apple IDs - WWDC23 - Videos - Apple Developer
check 17 minute
SalesForce: SCIM and REST API Reference Sheet (salesforce.com)
Gitlab has SCIM: Configure SCIM for GitLab.com groups | GitLab
Slack also Provisions with SCIM: Provisioning with SCIM | Slack
Okta here: What is SCIM? | Okta
and by extension Auth0: System for Cross-domain Identity Management (SCIM) (auth0.com)
So basically, pretty much soon, to be able to sync User Identities with external thrisd party tools, you might be better oFF using SCIM.
Plus, if i am not wrong, with SCIM, you could have more than one Identity provider, with each records being updated, iregardless where it was updated from.
Authetik HAs support for SCIM here: SCIM Provider | authentik (goauthentik.io)
USing projects like these, elimity-com/scim: Golang Implementation of the SCIM v2 Specification (github.com)
SCIM could be implemented Natively into Nethserver, Which is actually the best Option, it will work as both a server and Client.
Which, when you implement other SSO implementations, SCIM, could be used as the communication Model.
Zitadel, The collest of the bunch, i think has plans fr supporting it here: SCIM 2.0 Support as client and server · zitadel/zitadel · Discussion #1931 (github.com)
KANIDM is focusing on implemnting SCIM here: SCIM Implementation · Issue #211 · kanidm/kanidm (github.com)
Now of all the Bunch of SSO providers,
i think you guys should focus on looking at 4
too hippy, the future is not set in stone, and youd rather go with the older companions like keycloack, gluu(jansen) etc.
A newer bunch, Handles things abit differently, WOld be cool to hVae
Has a robust and beautiful interface
has multi tenancy support
the newest of the Bunch,
looking to disrupt the SSO market with its solution and its implementation
Not sure about its interfaces, (no admin interface yet)
i think you can grow with it better and easier, than the others.
Has replication built in
So now that we have 3 left, Jansen, KANIDM and ZITADEL, Jansen has SCIM, but both kanidm and zitadel dont have SCIM, but will support it,
i think KANIDM might support it faster than Zitadel.
after reading through the ZITADEL documentations, i can see tha it is possible to Implement the ZITADEL LDAP configurations during installation and even with the provided Docker compose,
Jansen which was formerly called Gluu, has all the bells and whistles required.
Configure Local OpenLDAP as an Identity Provider in ZITADEL | ZITADEL Docs
compoe here: Set up ZITADEL with Docker Compose | ZITADEL Docs
PS, i donât think there any Fault in Supporting More than one SSO Module in NS8, after all Nethserver is a platform
just the initial Official module Needs to check alot of boxes, and since there was consideration for possible implementing own interface, i think some of the SSO platforms, make it easier to do so, or even use the one with no available admin interface.
others makes more sense to just use as is. overall there are others that are simple enough that the community might implement a Community Module for them, LEaving the Dev team with an easier option for choices,
or rather the dev could choose, with Implementations as official, and which ones as community
others are easy to use, while others extremely complex
1 Like
JFYI,
way too much text, so I skipped reading it.
1 Like
I think youâre âdroolingâ for this - a nightmare for almost ALL my clients!
âsync User Identities with external third party toolsâ is probably illegal in Europe for almost everything!
Only a really stupid enterprise or state entity would opt for âMicrosoft Authentificationâ, but itâs probably a sure way to get more chinese âreadersââŠ
And starting the pointing game when things go south. No Account Provider wants to have responsibility when a third party has âwriteâ permissions⊠So SCIM becomes the default âblame boyâ, whether true or not.
This then actually becomes the major problem, not a âfeatureâ:
âiregardless where it was updated fromâ
I still see NO NEED for any of this in the SME (small, medium enterpises) market.
I actually do see major faults in this logicâŠ
Introducing ânewâ tools no SME has a need to use, willl introduce new risks, wrongly configured services, etc⊠Most of these errors will occur on the extreme low end side, users with less budget, know-how and/or experience, often under the mistaken concept, this new tool will make it possible to use this with no budget or know-howâŠ
So more âfreeâ support on subjects not normally coveredâŠ
This all sounds like a company with 2 employees, but on the Organigram, there are twenty plus departmentsâŠ
Nethserver is a platform aimed at Small and Medium Enterprises, Home Users, not for globally operating enterprises or large cloud entitiesâŠ
My two glowing pieces of coal
Andy
Avocatus Diabolis
2 Likes
Well, absolute statements like this will usually be wrong, but I think this really is the question for me as well: Martin, what benefit do you see from SCIM for an organization with, say, no more than 50 users? Or maybe no more than 20? Sure, it looks like itâs teh new hawtness, but what real benefit does it bring?
I see two major features in your post:
- âsync user identities with external third party toolsâ, and
- âmore than one identity providerâ
Leaving aside the question of whether and under what circumstances this is legal (silly EU and their GDPR), why do you see it as being desirable? In particular, why do you see it as desirable for a small organization, which is the target market (AFAIK) for NS? Because maybe my imagination just sucks, but I canât really see a reason that either of these would be beneficial in that setting.
This is completely impractical IMO. As you say, it would need to be deeply integrated into the system, which would almost certainly take a great deal of work. Iâd think there would need to be a very strong reason to duplicate that work for a second (or third, or whatever) SSO system.
Iâve seen some of the Neth folks say they intend to have an official SSO system (Authentik, IIRC). It makes sense, all other things being equal, to use as full-featured a system as possibleâsurely it ought to support OIDC, SAML, and CAS. Maybe thereâs a good reason to spec SCIM support as well, and if Authentik is the tool theyâre using, it (per your post) would fit the bill. But the question remains, what major benefit(s) does this bring to the small organization?
the sentiment son more than correspond to the fact that.
- Nethserver will not be used by one or 2 by maybe thousands of organizations.
- While NEthserver Dev team will chose or decide the identity provider to ue, the community is able to implement a community supported, or the one they prefer. the same way we have webtop and Sogo, they both do the same function, but why do we have webtop, sogo and webmail. we could have easily had webtop only.
- All large Enterpises begin as SME, including Microsoft, Oracle, google and all the other, even recently the likes of Notion, Trello(before acquisition) and others.
What NEthserve ris offering the SME, is Standard for the Coporates to the SME, otherwise no small SME wants to manage their own mail server, or file server etc, they would rather outsource or buy MS365.
Coming back to my industry, an average small SME in the IT and Software Space uses an average of 20 Tools.
- Slack and its brothers for communication
- github and its cousings, for repo
- a wiki for their softwares and tools
- email system and server
- accounting software
- CRM system(assuming they have a strong marketing and sales department)
- Internal computers and logins,
- Servers managing their websites and codes
- login to their websites
- Automation tools like MAke, N8n and zapier
- Bulk SMS/ email marketing solution and systems
- API integration platforms, eg(Paystack,paypal,stripe etc)
- Website monitoring (could be google, matomo or piwik pro)
- Product monitoring (posthog, and others)
- Data tools and maybe data aggregation tools (Assuming they crunch alot of data)
- Database manageemnt tools and similar
- Design and prototyping tools (Figma, Octopus.do, )
(18) Possibly a password manager somewhere
This is just a hypothetical scenario for the small IT firm, the SME as you call it.
is NEthesis and SME or an Enterprise, i know they are using almost the given number of tools
github, docker, discourse, dokuwiki, trello, figma, mattermost, maybe nextcloud, maybe
Where does the SME level end?
Some of the tools could be easily replaced by one tool.
MS365 will replace a huge number of the tools, Azure subscription as well, a zoho One subscription for $50 per user per month, could replace, alot more others
but still there will be some other pain point areas and tools that still dont fit the bill. Maybe an Oracle or SAP subscription could solve.
either way, for an organization to maintain some level of control in all these tools, they need an identity manager, AD fits the bill, but lets be honest, AD was not designed for the cloud.
thats why we have OIDC, OAUTH2, SAML and cousins, now everyone seems to be phasing out SAML, in favour of SCIM, do we not want to support SCIM, just because, hell no, its like saying, lets not support Lets encrypt because there are commercial and self signed certs that would still serve the job.
@danb35 i am guessing youâre not in the corporate enterprise category, if so, then why were you interested in sso for ssh authentication?
While SCIM can compliment AD at the moment, in the near future it may replace or phase it out completely.
Implementing an SSO module that does not support SCIM or has not immediate plans for supporting SCIM, if SCIM is not built-in into nethserver, i am sure to say would be a wasted effort, and in the near future, you might be forced to come back to the drawing board.
As with all things, not everyhting is mandatory. after all NEthserver 7 has operated perfectly ok without SSo Module untill @danb35 gave us LemonLdapNG
i will be honest, the first real productive use case on my end of SSO, has been with LLNG, courtesy of danb module.
But as i have used it, gotten accustomed to it, and learnt a lot more about its implementation, and how we can as well implement in the softwareâs we are building, the more i have the need for more.
Operating from Africa, and in a country where our exchange rate to the dollar has increase 60% in less than 6 months, i know the pain of paying for subscriptions in every tools you need to use, especially if the pricing model is in dollars, and designed not for the African market I try to the best of my ability to squeeze every cent out of a dollar.
While $50 on your end could only afford a cup of coffee, on my end its able to pay an entire month Rent somewhere, or even not so fast internet for use in the Office