SCIM a NEW "LDAP" STANDARD

I asked a simple question. You used almost 800 words to not only not answer it, but mostly to not say anything even related to it. I guess that’s up to you–and I’m certainly not the person you need to convince–but if you want SCIM support in Nethserver, I think it’s a question you need to be able to clearly answer. Unless it’s just obvious to everyone but me, which I guess is possible, but that doesn’t seem to be the case here.

1 Like

@oneitonitram

A very, very narrow view of things and real life.

Of my 30+ clients, none do programming, so Slack, Mattermost or typically any software with “agile” in it’s description, almost always refering to “agile” programming, and almost “cult”-like!
Some are in IT, but services, and don’t need programming tools.


Maybe in Africa, Asia and South America, but herearounds, start spamming, and you’re blacklisted.
No one want’s spamming except spammers!

All the fake marketspeak of these guys: “Leads”: Any stolen E-Mail becomes a lead is simply NOT true.


Maybe more important as to the relevance of an “IT company” as a typical SME:
How many would potentially choose NethServer, and how many would opt to do their own, using Debian, Ubuntu or even a BSD variant to run their choice ot stuff. I am talking about guys with Know-How… :slight_smile:

If they don’t have know-how, they simply won’t “grow” and thus will never become an Enterprise!


AFAIK, the most NethServer users are in Europe, closely followed by North and South America.
Africa and Asia are last on the lists.
I think @alefattorini could confirm this.


My 2 cents
Andy


1 Like

Let’s be honest here:

Exactly SAP and Oracle are the very typical tools an Enterprise uses on site, as these handle very confidential data.

Oracle does have some use in big data handling, but then again, this is an area which doesn’t need an Identity Manager, as this data is only for a small circle of people. On top of it, it’s an entirely different set of shoes than the typical ERP in large organisations / enterprises.

My 2 cents
Andy

1 Like

If you’ve gotten used to having a SSO tool,and are into programming (also for clients) I don’t see why or what stops you from implementing your own VM with a Debian or whatever OS, and the SSO of your choice, and using that to couple the AD or LDAP in NS8 with whatever tools need SSO integration for your business.

Can you give an answer to this?

Without an answer, I’ld have to assume the two "L"s… , either lazyness, or lack of knowhow.

I also do not think you’ve ever run into a “race condition” with 2-way sync of Identity, different restrictions of password complexity or any of the plentiful headaches SSO can bring.
It can easily turn out to be a case of too many cooks ruin the brew!

Most SSO systems typically use one way sync exactly because of this, and very strict rules…


Sorry for being so harsh, but as both Dan and LayLow have mentionned, very, very long winded, without any real statement in all those words. Where’s the beef? :slight_smile:

My 2 cents
Andy

1 Like

Actually, i can, and have done so, the same with all the other tools,
its posssible to deploy Nextcloud in a normal cpanel, its possible to deploy zammad in a normal cpanel, its possible and actually easy to deploy vaultwarden using coolify,
Webmail is already the default webmail client for 90% hosting control panels.

Email, Zimbra, can do, recently someone posted zitadel, there is now carbonio etc.

its not a question of if it spossible or not to deploy on other platfors, in some cases, it could be even easier to do so, its a question of how do we build nethserver into a prodcut that most SME would want to use,

Someone may chose to use nethserver, just because it implements nextcloud better, someone else, because they need AD, another person because it has Webtop or mail server, etc.

if all is set in stone, why then did the developers go through alot of trouble to implement community nethforge repo.

Why does it have a module system, they could have monolith built the thing to do just nextcloud, AD and the likes, Why did they choose to seprate firewall from main Nethserver.

its because they wanted NS to grow beyond firewall, and wanted the community to be engaged and contribute.

otherwise we’d only have nethrepo only, and thats it.

this could actually be a very wonderful reason why someone might want to choose nextcloud.

it possible to install KVM and virtual things inside linux, why do you use proxmox.

there is no beef, sharing is caring. everyone in the community has a part to contribute.

for example, i have not generally tested NextSecurity because, i dont know much about firewall,s and wouldn’t know if something is a feature or a bug, i use the bare minimum configs… but for waht i know, i stick my head in.

@oneitonitram

Well, AFAIK, you were the only one besides Dan using his SSO productively.

I do not see much positive feedback on any of your SSO posts…

SSO is an interesting subject, I’ve been dealing with SSO for over 20 years, so maybe I do have some experience in this subject.
Yet it was never for an SME, it was always only for BIG enterprises, who had the small change needed to implement all the details well in such tools.

IMHO, the interest in this community / forum for SSO on NS8 seems extremly low. The general consensus seems to be anyone who needs SSO is free to create a module / container / VM to handle the job.

I’m using the word “seems” as I don’t have any polling stats nor actual data from the forum system (Discourse). I’m judgeing from Feedback in the Forums and my memory on the Posts…

I don’t think a lack of knowhow should enable a fool to dabble with things he doesn’t understand.

It’s like allowing a common user to run a mail system. It will become a spam gateway, that’s all!

Nothing wonderful about that!

The most dangerous fools are the ignorant ones!

KVM doesn’t handle Backups lkie PBS does with Proxmox! Very simple!

As a commercial supplier of services, it’s a BIG advantage to use commercial, supported tools. KVM alone is something for freaks. Proxmox is here on a different league. And yes, all my clients use a paid license for Proxmox…

→ A very narrow view of the world…
I do hope that’s not a continental issue, having a narrow minded view of the world.

As I do not support SSO on NethServer NS8 specifically, I will ignore future posts on this subject as too time consuming and leading nowhere…

Over and out!
No hard feelings intended, but my personal opinion.

And to be honest, I would drop NethServer, if release is delayed due to SSO, a Feature that was never part of NethServer…

After RedHat’s betrayal and lying, I’m a bit susseptible on such issues!

My 2 cents
Andy

1 Like

I’m a big proponent of SSO. I’ve put no small amount of work into making it work with Nethserver. And if Nethesis are going to put SSO into NS8 (as they’ve mentioned up-topic they intend to), and SCIM is a growing standard for SSO, I’d just as soon, all other things being equal, they work with a product that includes it rather than one that doesn’t.

But Martin, you seem to be putting a pretty high priority on SCIM. So, to repeat the question I asked back in October (and again earlier this evening), why? What does it bring to the table–in the context of a small organization, which is what NS8 is designed to serve–that existing protocols don’t?

AWStats shows about 60 downloads of my RPM between 2022 and 2023. Hardly a ringing endorsement (automx, self-service-password, and acme-dns are all more popular), but it does tend to suggest there are other users.

But it’s also important to keep in mind that, even with my module, LLNG isn’t the easiest thing to configure. I’d expect interest would be a bit higher in a better-integrated solution.

You mention that SSO tends to be reserved for big business. I’m not sure how accurate that is any more, with as popular as “Log in with Google/Facebook/Microsoft/GitHub” is becoming (all of which are a form of SSO, but remotely hosted), but even leaving that aside, I think there’s a definite place for it in the small organization as well. The IAM piece of it wouldn’t be as relevant–you’d most likely have all users have access to all, or at least most, of the services on the server. But given that that’s the case, it seems silly for the same user to have to log in separately to SOGo, Nextcloud, and Mattermost (to give three examples), when all three are running on the same server for the same organization. And I think that’s a feature that would be viewed as beneficial by lots of users, even if most wouldn’t put a lot of work into making it happen. Even for a home environment this can be helpful.

I’m agnostic as to which solution the devs implement, and I’m far from sold on SCIM. But it looks like the devs do plan to implement a SSO system, and if they do that right that can be a pretty significant convenience for users of the server.

1 Like

With SCIM, user identities can be created directly in a system like Keycloack, or withing AD, the way NS does it, or even the user created in the accounting software can be imported into the identity manager.

if my HR manageronly has access to the hr system and a new employee is added, the user is created into SCIM as well, and IT is happy.

Ulike an email needs to be sent to IT to create the new user. when a user is fired by HR, they are disabled, and are deprovisioned in SCIM

SCIM is a REST and JSON-based protocol that defines a client and server role.
A client is usually an identity provider (IDP) like LLNG, that contains a robust directory of user identities

A service provider (SP) is usually a SaaS app, like Slack
that needs a subset of information from those identities.

When changes to identities are made in the IdP, including create, update, and delete, they are automatically synced to the SP according to the SCIM protocol. The IdP can also read identities from the SP to add to its directory and to detect incorrect values in the SP that could create security vulnerabilities.

For end users, this means that they have seamless access to applications for which they’re assigned, with up-to-date profiles and permissions.

SInce its Restful, its easy to Implement, even NS can adopt it, for NEthserver based systems, like Mail, NEthvoice and others.

Some apps can do what is called “Just in time access/provisioning” when logging in via Keycloack/LLNG (OpenId Connect) where it will create a new user and update it with the information received from Keycloack/LLNG

Where all of the provisioning in OpenId Connect happens when you login, SCIM does it automatically in the background.

So for user management SCIM have a handful of advantages over Keycloack/LLNG (OpenId Connect)

  • It creates the user before they login, as an example this allows you to assign “tasks” or similar to the user before they login the first time
  • It deletes the user again
  • It can create and update roles and groups

The combination of Keycloack/LLNG and SCIM gives you the best coverage of user identity management in a third party application.

SCIM is a communication standard,

While SCIM and single sign-on (SSO) work together, each serves a different purpose. SCIM provides an easy way to provision users’ access across multiple domains, whereas SSO performs SCIM authentication by verifying users’ credentials.

What Is SCIM Provisioning? How It Works, Benefits, and More | StrongDM

@danb35 i have explained countless times these principals, and i am left wondering when you say i have not explained why it makes sense.

@oneitonitram

No one is questioning the function or details of SCIM or SSO, there are more than enough documents online covering that.

“What sense does it make for a SME?”, in your view, is the question being asked.
I still do not see any advantage for the typical small SME.

You talk about My HR Manager…

80-90% of my SME clients don’t actually have departments… That’s all under “Administration”, including Bookkeeping, HR and other “cost centers”…

Real Life…

Maybe African startups and small to medium Enterprises like 5 people companies have dedicated HR and Marketing departments?
SME do have fluctuations, true. But then again, not that many, usually.
Too much overhead bloat?

My 2 cents
Andy

Andy understands what I’m saying here. To put it in language I used when I worked in sales, you’re talking in terms of “features,” while I’m asking in terms of “benefits.” OK, SCIM can do these things. Great. Why does a small organization care? So, when you say:

I say, so what? What’s the practical benefit of this?

So the first time one of these users logged into Slack, for example, they could have certain tasks assigned (presumably something along the lines of building their profile). This can’t be done using OIDC?

But you can do that with any auth system. What makes SCIM different here?

I’m beating the drum of “a small organization,” because that’s who I understand NS to be designed for. And the user-management needs of an organization with a few dozen users are going to be very different from those of one with several hundred or thousand.

1 Like

if you’re putting it in that sense, then an SME does not need a SMB server, NEtiher do they need AD, and all other things.

I have worked and work with organization that my annual turnover is daily petty cash for them, but they dont have AD, don’t have SSO, they use cpanel with webmail for email, thats it, and everything is done over email.

there is never a question of Need, over non need. it is a question of industry best practices brought in to get things done effectively.

BEfore git, softwares were still being built, but albeit was abit harder.

without SCIM, people will still operate, just like they have operated without SSO before,

its a question of understanding the value propositions presented by a technology, and applying the same.

I never knew i needed glpi, infact, it would seem that my small organization did not need such a tool,

but when licenses, and domains begin to expire, and other systems begin to fail, only to realise the correlations between service A an B.

In Kenya, we have a platform called M-Pesa, its literally money, works with feature phone, functions like a bank, but is more than a bank. All you need to send money to someone in Kenya is their phone number, dont even ask account number, send to their phone, they will get it.
if you asked if people needed it, no one would say it made sense, but now, we can not live without it.

We dont need SCIM, true, we can work without, but i bet in the near future, we will need it.

short answer, I may not really be in a better position to explain by words its importance, but i see the vision.

same way nobody needed an Iphone, we had blackberry, but now… (story for another day)

As a New platform (NS8) we need to also anticipate the future of small business operations and management. and new trends. that’s why podman was used. and we now have to re-build all previously working modules.

So, i will not attempt again to explain why its needed or is important,(because i am not equiped to do so) but if i lean something new about the project, i will sure do share, it will also be great for my reference and for the discussion reference.

1 Like

…which is why I didn’t ask about “need.” I asked about “benefit.”

I really can’t tell if you’re being deliberately obtuse, or if you just can’t understand what I’m asking. I think my question is pretty clear, and I think I can normally communicate pretty well in writing, but you have at this point written several thousand words that just don’t address it. At all. So it seems that
Screenshot 2021-07-07 at 16.28.35

…and as a result this discussion has become non-productive. But here’s what I’m seeing:

  • You want Nethesis to prioritize SCIM in NS8
  • You can’t, or won’t, explain what benefit SCIM brings to the organizations NS is intended to serve

I think you’ll have a much better chance of accomplishing your goal if you can correct the second point. Good luck.

It’d probably be worth working toward a shared definition of “SME.” In .eu, this includes a business with up to 250 employees. In .us, it varies with the industry, but can be as many as 1500 employees. It’s my perception that NS’ target market is on the smaller side of that–I’d mentioned <= 50 users, which would be a “small business” under the EU definition–but they don’t clearly state that anywhere I can see, and specifically include “medium enterprise” on their home page.

A related question would be “what kind or size of organizations are using Nethserver,” as there could be a discrepancy between their target market and the actual user base. But if they’re really targeting organizations with (up to) hundreds of users, a more advanced user management/SSO/IAM tool is going to make a lot more sense than if they’re only aiming at a few dozen at most.

Hi @danb35

AFAIK, in EU / Switzerland it’s 2-500 Users “Officially”.
I am aware of some NethServer Installations in South America and Asia with more than a few hunderd users, some over a thousand. But either they are the exception to the rule, or admins of such systems don’t need / show up on the Forum - or very rarely… :slight_smile:

The larger, more dispersed an organization is, the more non-MS tools / programs / apps they use, the more they benefit from SSO.

My 2 cents
Andy

I think this is the big issue, and it also ties well with what NS is–it’s a way for smaller organizations to self-host stuff that they’d otherwise be using MS365/Google Apps for. Larger organizations don’t so much need the all-in-one server; they have the IT staff to set up a webserver, and a mail server, and whatever else they need (though “the cloud” is pretty popular even with big business, it seems). But a ten-man shop isn’t going to have that resource, so they either put their information “in the cloud” (i.e., on someone else’s computer, so they give up control over their data), or they need a product that can handle these things out of the box in a robust and secure manner. And that’s what NS/SME/e-smith do.

SSO isn’t essential in this environment, but it is more secure (applications never handle user credentials), and it’s surely more convenient (in the ideal case, you only need to sign in once to use any tool, locally- or remotely-hosted, that your organization uses). That’s why I’ve been a cheerleader for SSO for a while, and really hope to see NS move forward to implement it and integrate it into the system.

SCIM continues to puzzle me, though–I see lots of buzzwords, but very little “so what.”

@danb35 let me see if this helps open up your mind to SCIM and if it makes sense to you.

IF my company has the 20 tools that we are using, and we have SCIM in our identity provider, be it nethserver, or keycloack or llng, and the users make use of SAML, or OIDC to login to any of the platform s we have as a company.

If, when a new user joins the organization, and we know they need access to Github, slack, salesforce, etc.

from within our SAML dashboard, we can assign which of these tools, these users can login into, and therefore have their accounts pre-provisioned for them.

So when they go to GitHub or slack and login, they already have pre-provisioned accounts and all parameters settings assignments etc done for them.
so they would be automatically invited to the tool, and to whatever groups, task etc, created in that, as per the support functions of the said tool

if in one instance, this user does not need to have access to GitHub anymore, but they still need to have access to all the others,

then from within the IDP, we can go and dis-assign the user from that particular application.

it is this kind of granular control and centralised managemnt that SCIM adds to the IDP capabilities, that was not there before. Sure, you can still use SAML, sure you can still use OIDC etc, but SCIM adds to them, not take away, not replace.

the forceable long term effect is that, because there is some compatibility in sense of what SCIM offers with Active directory and or LDap, they may end up being replaces/Phased out by SCIM being the holder of user accounts.