There's a common misconception that #authentication methods mainly come in two flavours:
1. If you want to run your own servers and network, then you'll have separate services with separate users - therefore you need one set of credentials for each service.
2. If you want to allow #SSO and having only one account for all of your services, then you'll have to give a big external authenticator (Google/Facebook/Microsoft/Github etc.) access to your precious services.
After spending a couple of days setting up my #Keycloak server, I'm happy to disprove this misconception.
You can indeed set up your own SSO server, federate it with other sources (LDAP, Kerberos, or even other SSO services like Google/Github), and even federate realms with one another, if you want to create a more granular ACL.
Current state of integrating SSO into the services I run:
✅ NextCloud (although it was hell and the nextcloud_saml integration is held together with toothpicks)
✅. Mastodon (yes, OpenID Connect finally works!)
⏳ Main https://platypush.tech portal
So Platypush web services will soon require you one single account to log into everything 🌐
The experience also reminded me why I hate JVM-based applications (come on guys, you can't require a minimum of 1GB of RAM just to run an authentication service, and just for the sake of using heavy smelly enterprise shit like JBoss) and why I hate #SAML and I believe that #openid_connect should be the future.
SAML is to OIDC what SOAP is to JSON/REST, or what OpenVPN is to Wireguard: a bloated alternative whose additional overhead and learning curve isn't in any way justified by better features.
A platform about automation, software architecture, data science and tech.