Yesterday I started to deploy SSO through my private infrastructure using keycloak. And after deploying Nextcloud and CodiMD with it, I start to question this decision.
Because it's nice to have a central place and only a single login for all services, but except of me, no one is using all services and I don't see an easy way, to restrict people from using certain services.
What to do…
@sheogorath Oh interesting. We chose Ipsilon instead of Keycloak for SSO. I'm curious to hear your experience, was it hard to configure?
I recommend to have a look at:
Things that bother me right now: The mentioned missing ability to easily restrict users from to a subset of apps without creating a new realm and the missing U2F/FIDO2 support.
Otherwise it seems fine and brings a nice UI.
The way we have it deployed is such that a user account needs to be explicitly created in Keycloak *and* Nextcloud for the user to be able to sign-in. A bit more work when adding a user, but a bit more control too. Using SocialLogin app here:
@rysiek I'm using the SAML authentication.
But actually made it to restrict access by adding a custom script for the login flow.
For now people who are not part of my Nextcloud group simply end up with a "Your account is not setup yet" screen.
Currently looking into Synapse and afterwards into Mastodon.
@sheogorath Nice! I've been meaning to do this for a while. Is it any good?
I mean, you already expressed your discomfort with it. But I still want to try it I guess.
I tried it once but couldn't quite get it working and just gave up.
@one Well, when I start things I do them in most cases. And once setup it shouldn't be too crazy to maintain.
I already migrated two out of 6 services to use this central login. Seems to work so far. Also got some workarounds for things that didn't work as expected. Have to do some long term testing to see how well I like it.