Ok, the magic wonder starts to deploy. Time to be the firefighter for burning needs for more tools.
SSO is a nice tool. IF it works, when it works.
But look at your keychain. Then, consider all your keys, all your keychains.
You’ll love to have only ONE MAGICAL KEY and carry with you only that for opening house door, rear door, garage door, office door, closet, car, motorbike, RV, quad, secret lounge, suitcase, softcase, cellphone, bike lock, door lock, hdd bay, server closet, rack door…
Sooo practical…
But… take more time.
- you need to ask a favor to a friend or a co worker, or a customer, to only unlock the rack door, the server closet, your bike lock. you need to give him/her your only key. Do you still think to ask that favor now?
- you’re clumsy, and your key falls into the sewer or you key gets old and fragile, then it breaks: now you’re locked out from everything
- a pickpocket into the train stole your key. Now can access to whole your world
- how many time, money, effort, and problems can cost remember and change all the locks that are going to be open by your magical key?
I know that passwords are not physical keys, but in any case have the same password for whole your world is considered insecure. SSO is… have the same password for all the services hosted into a “world” around NethServer.
Not only… If LDAP goes down for any reason, all LDAP related services will take a “i don’t know” nap, until you solve the issue. So a SSO is a way to make a bit unreliable the setup, until at least a dual redundant setup for LDAP, just like the most recent AD by Redmond.
As for the firewall rules, the IDS/IPS, the IPFilter list: be sure on what you’re doing, try to know every weakness of the system before start a project on SSO.
Because if one service is broken, all services will be shut down at the same time