SSSD and IdPs

Identity Providers (IdP) based on OAuth 2.0/OIDC and other REST APIs like e.g. Keycloak or Entry ID play a dominant role in the identity management of web-based applications. But organizations which are using IdPs for their internal applications still have to use other services, typically LDAP based, to manage access and authentication to LINUX/POSIX user workstations.

To help to avoid running two services for identity management SSSD started to use IdPs to lookup users and authenticate them against the IdPs. In contrast to LDAP there are no standards and conventions with respect to POSIX users and groups in the IdP world.

This talk will focus on how SSSD is getting user and group information from IdPs, how information required by POSIX, e.g. the numeric user and group IDs, is created and what kind of limitations there are. Additionally it will be explained why the OAuth 2.0 Device Authorization Flow was chosen for authentication and demonstrated.