YannickB
commented
7 years ago Hello Dave,
The good old subject of SSO. I think I already say it but according to me it's one of the most important one we have to address and I think we start to have enough global vision to figure the good direction.
I also believe most authentication shall be made through LDAP. Most software have LDAP connector, it's clearly the standard no doubt about it.
In #139 @KaloyanNaumov suggested Gluu as SSO/IDP and it seriously got my attention. It believe it shall be our main SSO component. As you can see in unfinished folder I tried to work on LDAP and CAS before. It was hell, I really think a software which integrate all SSO components (not only LDAP, but CAS, double factor authentication, authorization, SAML and plenty of other stuff) is the way to go so it's easier to maintain. It include an OpenDJ LDAP but it can be replaced, I don't know yet if we shall use it or use Samba 4 as suggested. I suggest working on Gluu template first, and then see from this point if something is missing, I heard your argument for desktop authentication it shall be in our requirement.
The most complex case I think we will need to manage with SSO : Let's say a company want to provide with Clouder a webmail service for individual customers.
- The customer go on the website and subscribe. This create an account on Clouder (res.partner or res.users ?) and an invoice.
- The customer is exported to the LDAP. When the bill is paid, the authorization for webmail access is added on LDAP. If next bill are not paid, the authorization is removed on LDAP but not the account.
- Then the customer try to connect to webmail, webmail check credential and authorization with LDAP, then create account and grant access.
This will allow us to have one base - several paying users, which is the only hosting case Clouder can't handle right now.
Another use case is for gitlab. Clouder create one gitlab project for each deployed Odoo service, customers must have access to theirs service projects but not others. This shall be done through SSO authorization, hence one authorization per service.
I see why you want to think about SSO now, this is because of number of user metric for billing. I agree, it's best to base this metric on the LDAP directly.
Last feature is the Portal feature, this shall be the central access, where the customer login and see a link to all applications he has access. Maybe Clouder itself shall be the portal, I don't know yet it depends if some software already exist for this purpose. This is not a priority, let's first have SSO and LDAP working.
Finally one thing we have to be aware : most opencore project consider LDAP authentication as Enterprise feature. We will often need to redevelop LDAP connector for theses software.
lasley
KaloyanNaumov
Another thing we need to knock out in this is Single Sign On, which will allow us to maintain users at one central point instead of needing to build out specific application connectors.
I feel that LDAP (Active Directory) via Samba 4 would be the best approach here.
It isn't as fancy as some of the other SSO solutions that exist, but it's compatible with essentially everything out of the box & is the only thing that will also allow users to login to computers with the same credentials.
Another advantage would be that we could use the same authentication backends for server maintenance using SSSD.
This would also allow us to have a product comparative to Amazon Domain Services, which is quite appealing to most small / medium scale businesses.
Assuming we do choose LDAP, we would need the following (WIP):
-useror-adminAnyone have any thoughts?