Simple Integrated SSO: DexIDP

WHile taking a Look at the POC matrix App here i couldnt help but Notice DexIDP having been used inside the module.

image1690×780 159 KB

More importantly, is that, it has Direct Integration with Ldap/AD(ldap implemented at the time)
This Got me Thinking.

Alot of NS8 Apps have support for SSO, most importantly OIDC, which DexIDP supports, and cosidering its smaller footprint, and Direct ldap integration via config files, its a nice candidate to have within NS8.

Not Many SSO solutions, offer Ldap/AD integrations directly within Configs, for NS style implementation. The other Simpelr Candidates are KanIDM and DefGuard/defguard: Zero-Trust access management with true WireGuard® 2FA/MFA(5 user limit for ldap if unpaid) Both mentioned here before

Not Everyone would need to run and Manage a fully fledges SSO implementation Like Authentik, Zitadel or LemonLdapNG, due to their complexity and resources requirements, however, they could all benefit from what SSO has to offer. with tools like Temix

And since @giacomo you have already Done some heavy lifting for it, Shouldn’t we make DexIDP and Independent SSO solution, What do you think @davidep ?

What we need, more than “another” SSO app, is an “official” SSO app. It’s long past time for this–Davide agreed before NS8 was released that we needed this; we’re now up to 8.6, and we don’t have it yet. While this could surely be finessed a bit, requirements would include:

• Automatically integrate with the accounts provider(s), whether OpenLDAP or AD
• Automatically configure apps to authenticate against this provider:
  • The cluster-admin system
  • Roundcube
  • WebTop
  • SOGo
  • Nextcloud
    • Including existing accounts, which would need to be migrated in some way
  • Should be able to enable this on a per-app basis; users may want, say, Dokuwiki to use its own user database rather than the system one.
• Needs to manage the standard SSO protocols
  • OIDC and SAML2 at a minimum
• Needs to manage MFA
  • TOTP, WebAuthn, etc
  • Passwordless login
• Needs to be relatively easy to administer
  • This is obviously subjective, but there needs to be a decent UI, and decent documentation, for the admin to use it. This would include adding and removing RPs (apps that would use this system for authentication), adjusting authentication flows, and enrolling or disenrolling authentication devices, as high priorities. “Theming,” or adjusting things like colors and graphics, would be a lower priority, but should also be supported.
• Needs to be implemented in such a way that third-party apps can use it
  • That’s the point of SSO, after all–all, or at least a good approximation of all, your software can use it. The user/admin needs to be able to set up third-party apps (both “non-official”/community apps on the NS8 instance, and other software running elsewhere entirely) to authenticate against this system.
• This one is probably a pipe dream, but it’d be great if it would incorporate plumbing to automate RP configuration, at least for RPs running on the NS8 instance/cluster
  • As an example, @mrmarkuz’ Headscale app supports authentication via OIDC. Currently, that configuration is entirely manual. I’m envisioning its sending an API request to the SSO system which would create the RP, and return the relevant information (endpoint, client ID, client key) to configure Headscale.

I’m not terribly concerned which solution is used, as there are now several to choose from–I’d probably lean toward Authentik, as I’ve been using it and been able to make it do what I need it to, but there are other options. I’d recommend against LLNG, though, if for no other reason than that it has a needlessly-complex way of configuring RPs.

Yesterday, i stumbled upon an NS competitor, who have implemented a builtin IDP, i read about it and i was like, Mahn, NS has got some work to do.
You are right @dan Implementing a Deeply Integrated SSO solution within NEthserver, is whats next to come.

After reading through MAny SSO tools, and NS implementation codebase, i see how this can be implemented(not with ease) Using Existing SSO solutions.
KANIDM is for me the best contendor, as its built for integrations and integratability in mind. Plus, it does not have many Overlapping UI, as Most features are config Based, Does not have an external Database, supports, All, SAML, OIDC, SCIM, and many others you never thought were needed, it even has RADIUS(good with nethsecurity) and SSH key distribution

The Main problem, its built in Rust, and not go, like most of NS8 functions

Most others are as you said, Needlessly complex, Authentik while great, its another level of complexity, same applies with Zitadel, KEycloak ad others. Gluu is the other Closest best integration contendor, but that, is best suited for a cloud provider like aws or oracle and the likes, its extremely complex, though robust.

Most others have already been discussed in the community Already,
DexIDP is also a good alternative, but it misses alot of enteprise features that NS8 might require, While i understand NS8 is currently serving SME, they might be looking to get some of the Enterprise market as well in future, Si while Dex could be a bridge now, not great long term alternative.

Is this really a problem? Does it matter which language(s) a tool is written in? Presumably it can still communicate with other software using the various standard protocols, right?

But regardless, I don’t have particularly strong feelings on the tool to use, so long as it does what I need it to do. But one thing I need it to do for WAF purposes is be able to use Apple’s FaceID for passwordless sign-on. I understand that works as a passkey, so it should be using a standard protocol.

Out of curiosity, which one?

Not a problem at integration perspective, but at development perspective if developers dont like the language, have no strong understanding of the language etc. RUst is ok, almost at par with go actually, while being more efficient. and for any seasoned developer, they should be able to adopt to any language,

UCS

I would like to also echo the need for an “official” SSO app for NS8. If there is no indication for one coming soon, I will need to evaluate an alternative to NS (and my paid subscription) for another platform. What are the “unofficial” SSO apps that are available for NS8? I don’t see any on the Software page. Do I need to add a new software repository?

• Authentik: ns8:applications:authentik [NethServer & NethSecurity]
• Keycloak (pre-release, I believe): ns8:applications:keycloak [NethServer & NethSecurity]
• Zitadel (not currently usable): ns8:applications:zitadel [NethServer & NethSecurity]
• LemonLDAP::NG ns8:applications:lemonldap-ng [NethServer & NethSecurity]

Authentik has been working well for me.

Brother it has not come to that now.

We do have a number of SSO solutions as @dan has shared.
Keycloack needs help testing, Zitadel is laziness to release, honestly.

We are working to get Most of the Apps we built on the official Nethforge Repo, atleast All Installable from our repo are pro ready, while those not yet on our repo, need further comfirmation testing.

The SSO solutions available on NS at the moment, should still be sufficient enough for 95% of your SSo needs i beleive.

…except that none of the “official” NS apps use them. And that’s a big problem.

@dan The Authentik solution sounds promising. Are there guides for setting up NS Mail with Authentik in order to enable SSO/MFA capabilities?

Yes. The repo of GENIUS DYNAMICS LTD

Are there guides for setting up NS Mail with Authentik in order to enable SSO/MFA capabilities?

To be clear, I’m mostly interested in adding MFA for email access to NS Mail.

WebTop supports it, see WebTop groupware — NS8 documentation

Also Roundcubemail seems to support it via a plugin, see GitHub - alexandregz/twofactor_gauthenticator: This RoundCube plugin adds the 2-step verification(OTP) to the login proccess

I am new to some of these topics, so sorry for bouncing around so much.

Is it possible that I actually want OAuth2 support? What I’m really trying to accomplish is to setup MFA for my NS8 mail server. ATM, I only have Mail and Roundcube installed. So this would need to be IMAP, but on occasion Roundcube? Is Authentik a proper solution?

MFA and OAuth2 are 2 different things,

you can even use OAuth2 with MFA.

MFA options are ussually TOTP, SSMS etc

The mail server doesn’t support it yet but there’s already a Feature request, see Can we get One-time password for using the NS8 mail server instance

You could install a plugin for Roundcube, so users can login to the Roundcube mail client using 2FA.

Authentik is a nice solution but the apps need to support it.

This really doesn’t have anything to do with SSO. Many of the SSO solutions can enforce MFA, but they’re separate issues.

…and Roundcube can. So can SOGo. I have no idea whether WebTop can (I’ve never been able to find any docs for WebTop itself, only for its integration into Nethserver). But most major software that’s designed to live on the web supports one of the standard SSO protocols–but none of the NS8 integrations (except, AFAIK, your Headscale module) do.

There’s a WebTop documentation from Sonicle: WebTop Administrator Manual — WebTop 5 Documentation 5 documentation

I also think that SSO would be a nice improvement for NS8.
The question was about the mail app, which doesn’t support SSO protocols yet, that’s why I wrote that apps need to support it.

How would one go about bumping the priority of SSO+MFA for Mail in NS8?

Usually you would open a Feature request but there are feature requests about that topic already.
You could add a post there and explain why the feature is important for you and how it should work.