SSO revamped

From Technologia Incognita
Jump to navigation Jump to search
Projects
Participants
Skills
Status Planning
Niche Software
Purpose Infrastructure

Incipit

This started out as "we want to allow members to create accounts on our Matrix homeserver". It then turned into "let's fix up our SSO setup and just use that for Matrix accounts instead".

Where we stand

We have a Keycloak + LDAP setup currently used by board tools. It works, but it is clunky and complex to maintain.

For example, it has automatic account creation from board tools, but with real name included by default, which is not greate for privacy/PII protection.

User:Frogeye has been creating account on demand instead because of that.

What we want

  1. Ease of maintenance. The simpler, the smaller, the less hands-on, the more automated, the better.
  2. Automated onboarding of space members (e.g. getting an invite link via email upon joining Tech Inc), and if one is no longer a member or their membership expires, they should automatically be off-boarded and lose access to space services using SSO for authentication.
  3. Applications deployed by space members should be able to use the SSO system to offload the concern of authentication to it, thus letting applications easily restrict to space members (e.g. good for services publicly to the internet)

Leads to follow/things to explore

  1. Authentik: simpler than Keycloak, maybe easier to maintain, to be determined.
  2. Authelia: second runner up, we already tried Keycloack and other than this and Authentik, there doesn't seem to be much: https://github.com/awesome-foss/awesome-sysadmin?tab=readme-ov-file#identity-management---single-sign-on-sso

Concrete next actions to take

  1. Compile a list of probably good instances to create a Matrix account on (sort of TechInc recommended, but not really super rigorous/guaranteed) for people that just want to drop by, ask questions, or whatever, without having to come to a Social and ask for an account, and make a wiki article
    • (sure, Matrix specific, but read the incipit and it will make more sense why this is here :) )

Not ready to implement yet TODOs (e.g. waiting for other steps to be complete first)

  1. Make a wiki page for Matrix explaining how to get an account, how to join the TechInc homeserver, and other important info
  2. Make a wiki page about the SSO setup and infra
    • How to get an account
    • What that account gives you access to
    • How to use that account (I'm a user wanting to use a Space service)
    • How to integrate with SSO (I'm a member developing some service to be deployed that needs to be behind authentication)

Open Problems

  1. Should the SSO system be member infra (open to all members) or board infra (restricted to board members, used for board tools, hosts PII/sensistive information that should not be accessible to most people, deployed on a separate cluster and network)?
    • board tools also depend on the SSO but maybe we don't want to gatekeep applications that want to use SSO (or maybe we do actually). To be determined
    • having it board means that nicknames/emails (for apps that require it, probably most of them given the fact that notifications exists) won't be available for members if they don't login into apps
  2. User ID stability
    • some apps force use of email address or nickname as a User ID. This is bas if someone changes their nickname or email address
    • we should keep an eye for this, and try to ensure that internally, a stable User ID is used (e.g. AUTO_INCREMENT INT column in MySQL), and externally some more esthetically pleasing identifier, which can be changed without affecting existing references to the User somewhere else in the system or in other systems.
  3. Guest accounts (this is more Telegram/chats specific)
    • Telegram is till date (2026-04-06) joined by a lot of people just coming to Wednesday meetings (Social Evenings) that want to get with the community. The new account set up might introduce undesirable friction
    • 30 days guest accounts, to be requested physically at a social?
  4. Matrix-IRC bridge:
    • Lots of potential new people first enter the IRC (probably partly due to it being linked on the front page of TechInc). That not being visible in Matrix is not good (e.g. unanswered questions, split brain, disjoint subcommunities, etc.)
    • At the same time, if the old IRC is just a comfy community of old members, we might be ruining their habitat by bridging their world wholesale to Matrix
    • Proposed Solution: keep the old IRC intact (or renamed to old), add a bridge to a new channel (IRC-new) that is linked on the official website
      • Newcomers asking questions will be seen on both IRC and Matrix
      • Old IRC channels will stay nice and comfy for whoever still lives and hangs out there
Retrieved from "https://wiki.techinc.nl/index.php?title=SSO_revamped&oldid=31210"