Icingaweb2 is likely one of many web applications that your company uses daily. This usually means that you either have LDAP sign-in enabled or use local accounts. A local user account means that you have one more password to save in your password vault. While LDAP allows you to use the same username and password to sign-in, the web application still has to take the credentials and pass them on to the LDAP server. This means any flaws within that application could expose your users’ passwords. Even if you don’t see this as a major risk, users are still typing their passwords into many different dialogs, and identifying a secure web page requires a larger amount of references users have to compare to.
Single-Sign On
This is where single-sign on (SSO) comes in. LDAP is said to be a SSO solution. It requires password entry whenever used. OpenAuthorization (OAuth) and Security Assertion Markup Language (SAML) are real solutions. They do not require the user to type their credential into the application they want to log in to. They instead perform the authorization within a familiar login screen that users can easily verify as legitimate.
Icingaweb2 has support for external authentication[1], with some drawbacks. All users have to be created beforehand; otherwise they will be in the same group. Within an enterprise environment, this is a limitation, as not every user needs or should have the same visibility into systems. This also stops enterprises from allowing access for their customers, for example when it comes to a Managed Service Provider (MSP). The larger the environment, the more likely it is to have multiple tenants.
Our solution
So that’s why we released the icinga-adfs at Icinga Camp Stockholm. This wrapper allows you to sign in with SAML and Active Directory Federation Services into Icingaweb2. It allows you to map users into groups automatically based on SAML attributes, which can include information about roles (read: user rights/groups). This is thanks to the database backend in Icingaweb2[2]. Because we love open-source here at Opsdis, the code is GPLv3-licensed and available on GitHub: https://github.com/opsdis/icinga-adfs. We look forward to your feedback and pull requests! Together, we can make better software.