Speaker Deck

EuroPython 2017: Identity management, single sign-on and certificates with FreeIPA

by Christian Heimes

Published July 13, 2017 in Technology


* FreeIPA: https://www.freeipa.org
* Public FreeIPA demo instance: https://ipa.demo1.freeipa.org/
* Ansible demo playbook is available at https://github.com/tiran/pki-vagans/tree/europython2017 (tag: europython2017, directory ipademo).
* Apache modules: https://www.adelton.com/apache/
* EuroPython 2015 talk by Jan Pazdziora External authentication for Django projects: https://youtu.be/62_jD-8zV4M

Authentication, authorization and public key infrastructure are complicated and hard to get right, yet crucial for every infrastructure. Manifold user databases in each application as well as ad-hoc self-signed TLS/SSL certificates don’t scale and are hard to administrate. Users don’t want to remember a password for each service, admins prefer a centralized PKI, and developers struggle with correct handling of password.

FreeIPA is an Open Source, Python-based identity management solution. It is much more than a simple user database. FreeIPA combines multiple mature products under an easy-to-use installer, command line and web interface: 389-DS LDAP server, MIT Kerberos, Dogtag PKI certificate system, BIND DNS with DNSSEC, SSSD, certmonger and more. It provides identities for users, services and machines with single sign-on (optionally 2FA) and role or host based ACL. Keycloak and Ipsilon IdP can be integrated to offer OpenIDC or SAML. Mutual trust with Active Directory is possible, too.

Installation of a FreeIPA server and integration with a WSGI application is much simpler than you might think. At the end of my talk you will know how to deploy a FreeIPA server with just one command, how to add replicas for redundancy, how to authenticate users and access user data like name, email and group membership without adding a single line of Kerberos or LDAP code to your application, and how to issue TLS certificates with auto-renewal and OCSP.