snabelen.no er en av mange uavhengige Mastodon-servere du kan bruke for å delta i det desentraliserte sosiale nettet.
Ein norsk heimstad for den desentraliserte mikroblogge-plattformen.

Administrert av:

Serverstatistikk:

363
aktive brukere

#sso

ett innlegg1 deltaker0 innlegg i dag

On weekend I managed to connect all my selfhosted services that support it to the #Keycloak #SSO (single sign on).
Namely #Mastodon #Peertube #NextCloud #FreshRSS #Matomo and #grafana

Why to bother with such complication for apps serving only a couple of users?
First it's quite easy nowadays.
And second, because I want to get rid of passwords and just use #passkeys .

This is one of many examples showing that good apps should just focus on one task and just use standards to cooperate with other apps focusing on other tasks.

Peertube for example focuses on videos, not user management. I am very OK that they don't support passkeys, because they implemented OpenId Connect standard to allow me use Keycloak for better login options.

On the other hand, I am quite sad that SSO is often the one feature, that is proprietary and reserved only for paying customers. SSO is not for huge corporations anymore. It's also usefull for us, selfhosters with couple of users.

❤️ :opensource: :keycloak:

Is there a term for the class of "credential storage confusion" #security issues, where the user accidentally saves a password or passkey in a vault they don't actively use (browser, #SSO IdP, #passwordManager, OS)?

One thing that made me think of this is having to go through a separate step (like "use a different device") on Android to avoid enrolling the phone as passkey.

I can see how users spread active credentials across multiple services which seems like a massive #infosec issue to me...

Went to our first concert of "classical" #music since February 2020. In Benaroya Hall in #Seattle, Ludovic #Morlot conducted a few pieces by #Ravel and premiered a beautiful new composition by Allison Loggins-Hall, "Rhapsody on a Theme by Joni for Solo Flute and Orchestra." Demarre McGill did a fabulous job in the solo part. In the picture, Morlot is standing away from the podium, directing audience applause away from himself and toward the percussionists. #SSO #SeattleSymphony #classicalmusic

Inzwischen hatte ich übrigens Zeit, mit dem Keycloak Auditor kcwarden von @hacksilon und seinem Kollegen herumzuspielen. Ein super Tool, um zu prüfen, wo man die oft sehr laxen Standardeinstellungen nachjustieren sollte!

Repo: github.com/iteratec/kcwarden

Vortrag: youtube.com/watch?v=PRvHLx5oCj

(Und hinterher bitte testen, ob alles noch geht, besonders bei den RedirectURIs. 😉)

GitHubGitHub - iteratec/kcwarden: Keycloak Configuration AuditorKeycloak Configuration Auditor. Contribute to iteratec/kcwarden development by creating an account on GitHub.
Fortsettelse av samtale

True story,
- Log into browser with IdP
- Get logged out of IdP
- Log back into IdP
- Click something in the browser's popover and now your browser has a passkey to the IdP
- Get logged out of browser and IdP
- Get locked out because you need to log into the browser to log into the IdP to log into the browser to log into the IdP to...

How can this failure mode exist?

Where do we even start to communicate this to users in a good way?

/rant

I love #PocketID, a light weight #selfhosted #OIDC using only #Passkey.

After using it for several months with an LXC installation using Proxmox Helper Scripts, I noticed that the service runs as root. I also learned that a VM installation is more secure than an LXC. This article will guide you through installing Pocket-ID as a non-root service on Debian. Additionally, there's an upgrade script included.

#Proxmox #debian #selfhosting #homelab #openID #passkeys #SSO

lucasjanin.com/2025/06/02/pock

Es ist zum Haare raufen. Vor kurzem wurde TikTok u.a. deswegen verknackt, weil sie auf Servern auf hosten, auf die sie von China aus Zugriff haben; Weil das Datenschutzniveau nicht dem der EU entspricht und das auch nicht vertraglich ("Standardvertragsklauseln") auf sichere Beine gestellt werden kann.
Nun habe ich das wieder zum Anlass genommen meine Vorgesetzten darauf hinzuweisen, dass es vielleicht bei der Situation zw. #EU und den #USA keine gute Idee ist mit unserem #SSO und #IAM (für uns und Kunden) auf #AWS #Cloud zu setzen und wir doch vielleicht wenigstens z.b. bei #Hetzner einen Backupplan entwickeln sollten.
Man hofft, dass schon alles gut gehen wird und setzt, weil die Unternehmensgruppe drauf setzt und man viel investiert hat, weiter auschließlich auf AWS.
🤮

So I was messing with #drupal in the #homelab and I wanted to turn on #SSO with #authentik.

Somehow I didn’t find the official drupal OIDC module, I found this other one. I installed it, got it configured, and the first time I tried to login, it said “whoops, you have to purchase this module to use it.” Fine. I like supporting software, what does it cost?

$250/year!? To LOG IN? F that.

One of its key selling points is how easy it is to configure. If I was configuring it often, maybe I could see that. But OIDC and SAML are the kinds of things you set up once per lifetime. Make it as hard as you want (many apps do!) I only have to get through it once.

I mean $10? Even as much as maybe $50 I might have paid once. But I refuse to pay annually for the ability to login.
#selfhosted

Fortsettelse av samtale

For #SSO, consider using OIDC instead. A lot of SSO is now centralized through identity brokers like Okta, Ping, Auth0, Azure, Zitadel, KeyCloak, etc. These tend to have first-class support for OIDC. So there's a good chance that whatever service you are using SAML with also supports OIDC. If they don't, they should! Send them this thread. 🧵

I became a maintainer of a popular #SAML library for Node.js, "node-saml", which in turn uses "xml-crypto", which in turn is based on XML signatures.

If you are still using SAML for #SSO, be aware there has been string of SAML vulnerabilities related to the fundamentals of how it works and there are likely to be more. You are advised to OIDC instead.

In this thread, I'll discuss some of weaknesses in SAML that have come up repeatedly. 🧵

So if I want to host a number of different services (Tandoor, Discourse, Lemmy, GtS) and offer #SelfHosted #SSO, so that I can create a single account for each user and enable or disable specific sites/apps for them, what are my options for that?

No information that could screw with anyone's life will ever be on these sites so I'm not looking for, you know, NSA-busting cryptography or anything. Just a single go-to spot for user management.