EuroPython 2018

Identity management, single sign-on and certificates with FreeIPA

Speaker(s) Christian Heimes

Authentication, authorization and public key infrastructure are complicated and hard to get right, yet crucial for every infrastructure. Manifold user databases in each application as well as ad-hoc self-signed TLS/SSL certificates don’t scale and are hard to administrate. Users don’t want to remember a password for each service, admins prefer a centralized PKI, and developers struggle with correct handling of password.

FreeIPA is an Open Source, Python-based identity management solution. It is much more than a simple user database. FreeIPA combines multiple mature products under an easy-to-use installer, command line and web interface: 389-DS LDAP server, MIT Kerberos, Dogtag PKI certificate system, BIND DNS with DNSSEC, SSSD, certmonger and more. It provides identities for users, services and machines with single sign-on (optionally 2FA) and role or host based ACL. Keycloak and Ipsilon IdP can be integrated to offer OpenIDC or SAML. Mutual trust with Active Directory is possible, too.

Installation of a FreeIPA server and integration with a WSGI application is much simpler than you might think. At the end of my talk you will know how to deploy a FreeIPA server with just one command, how to add replicas for redundancy, how to authenticate users and access user data like name, email and group membership without adding a single line of Kerberos or LDAP code to your application, and how to issue TLS certificates with auto-renewal and OCSP.


Do you have some questions on this talk?

New comment