Hi Nicke, hi all,
ah, here is your post.
Well OAuth2 in fact is no Single Sign-On protocol but rather a rights
delegation protocol.
OpenID is a bit outdated. Unfortunately no one ever used it for many
years - so in my opinion it is dead.
OpenID Connect would be a great way to go (as authentication extension
to OAuth2)
Last year I decided to concentrate with Univention on the SAML protocol.
In my opinion SAML is more often used in an enterprise environment while
OpenID Connect/OAuth2 is more often used in a provider context that
involves end users.
This is why we went with SAML in the first step.
This is achieved by a plugin for simpleSAMLphp.
This plugin is roughly an absurd 200 lines of code. I guess this is what
you call a low hanging fruit.
Imho there was never sense in writing a SAML IdP completely anew.
The same is valid for openid connect.
And this is my current status of thinking:
I am not aware of an OpenID Connect implementation that has the same
ready-to-run server qualities like simpleSAMLphp. If you know any, just
tell me!
There is however the pyoidc implementation by Roland Hedberg. But
- in my eyes it is more of a framework than a server compared to
simpleSAMLphp and - oups. I am wrong. I thought it was huge, but in fact sloccount
src/oic tells me, it is only 12.000 lines of code. (Ok, it was pysaml2
that has 40.000 sloc)
Honestly - privacyidea has 15.000 lines of code and till now there was
no necessity to provide OIDC. Well, by adding pyoidc you could add
OpenID Connect IdP functionality to privacyIDEA.
Don’t get me wrong! I very much would like this!
When do you get start coding? 
This is quite an effort and would require the corresponding project!
I am very curious about your or your other’s opinions.
Kind regards
CorneliusAm Freitag, den 12.02.2016, 07:06 -0800 schrieb ‘Nicke’ via privacyidea:
OAuth 2.0, OpenID, OpenID Connect are popular Single Sign On
specifications.
PrivacyIdea should fit perfect in this world by becoming OpenID
Connect Identity Provider that a massive amount of relying parties can
authenticate against.Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/52b60eeb-0e96-4d87-87aa-31eccbac7640%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
