Description
This repository contains the current state of the development of the direct integration of SSSD with an external IdP. Currently Keycloak and Entra ID are supported.
You can find a short video with a demo at https://sbose.fedorapeople.org/sssd-idp-demo/sssd-idp-demo.mp4. There is also an extended demo with more details on Youtube.
The code is based on the git trees:
- https://github.com/sumit-bose/sssd/tree/sss_idmap_4_idp
- https://github.com/sumit-bose/sssd/tree/oidc_entra_id_users_groups
- https://github.com/sumit-bose/sssd/tree/id_provider_idp
Feel free to leave comments, questions and suggestions on github.
Installation Instructions
After installing the packages form this repository, especially the sssd-idp package, create a sssd.conf file like e.g.:
[sssd]
config_file_version = 2
services = nss, pam
domains = YOU.onmicrosoft.com, keycloak
[domain/YOU.onmicrosoft.com]
id_provider = idp
auto_private_groups = true
use_fully_qualified_names = true
debug_level = 9
idp_client_id = UUID_of_YOUR_Entra_ID_client
idp_client_id = Password_of_YOUR_Entra_ID_client
idp_token_endpoint = https://login.microsoftonline.com/YOUR_Entra_ID_tennant_UUID/oauth2/v2.0/token
idp_device_auth_endpoint = https://login.microsoftonline.com/YOUR_Entra_ID_tennant_UUID/oauth2/v2.0/devicecode
idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me
idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
idp_auth_scope = openid profile email
[domain/keycloak]
idp_type = keycloak:https://master.keycloak.test:8443/auth/admin/realms/master/
id_provider = idp
auto_private_groups = true
use_fully_qualified_names = true
debug_level = 9
idp_client_id = YourKeycloakClient
idp_client_secret = YourKeycloakClientPassword
idp_token_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/token
idp_userinfo_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/userinfo
idp_device_auth_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/auth/device
idp_id_scope = profile
idp_auth_scope = openid profile email
[nss]
debug_level = 9
default_shell = /bin/bash
fallback_homedir = /home/%f
Please note that the IdP clients must have the permission to read user and group attributes.
Active Releases
The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).
| Release | Architectures | Repo Download |
|---|---|---|
Centos-stream 10
|
x86_64 (1740)* | Centos-stream 10 (84 downloads) |
|
Centos-stream 8
|
x86_64 (9)* | Centos-stream 8 (92 downloads) |
|
Centos-stream 9
|
x86_64 (1676)* | Centos-stream 9 (87 downloads) |
EPEL 8
|
x86_64 (12)* | EPEL 8 (107 downloads) |
|
EPEL 9
|
x86_64 (5843)* | EPEL 9 (479 downloads) |
Fedora 40
|
aarch64 (1649)*, ppc64le (1681)*, s390x (1476)*, x86_64 (2490)* | Fedora 40 (0 downloads) |
|
Fedora 41
|
aarch64 (1353)*, ppc64le (673)*, s390x (725)*, x86_64 (2598)* | Fedora 41 (158 downloads) |
|
Fedora 42
|
aarch64 (228)*, ppc64le (856)*, s390x (752)*, x86_64 (487)* | Fedora 42 (65 downloads) |
|
Fedora 43
|
aarch64 (63)*, ppc64le (63)*, s390x (61)*, x86_64 (62)* | Fedora 43 (22 downloads) |
|
Fedora eln
|
x86_64 (1125)* | Fedora eln (75 downloads) |
|
Fedora rawhide
|
aarch64 (2420)*, ppc64le (2031)*, s390x (1901)*, x86_64 (2139)* | Fedora rawhide (67 downloads) |
* Total number of downloaded packages.