Welcome to the devroom, rules and initial setup.
As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner. This talk introduces the Shared Signals Framework and explains how it enhances security and operational efficiency in modern identity ecosystems. We'll explore how SSF can be supported in Keycloak to enable real-time event-driven communication between providers and relying parties. Attendees will learn how Keycloak can help to detect and mitigate threats, and improve overall system security with SSF.
We introduce the SCIM client app for Nextcloud that allows Nextcloud users and groups to be automatically synced to external services that support the SCIM standard. This enables Nextcloud to act as an authoritative store of user identity information, simplifying user management across multiple connected services.
This talk will discuss the motivations behind the app as well as its practical use cases.
OAuth 2.0 and OpenID Connect have been around for years to secure web and mobile applications alike with growing popularity.
To keep your applications and their data secure, these standards are evolving to align with security best practices.
Join this talk to see how the FAPI 2.0 Security Profile and the upcoming OAuth 2.1 standard promotes and enforces best practices, how to adapt your applications, and how Keycloak as an Open Source IAM can help you. Expect a demo and examples for some of the enhancements.
ProConnect is an open-source Federated Identity Provider written mainly in TypeScript and designed to connect professionals with government services. Developed by the French Interministerial Digital Directorate (DINUM), it builds on the experience of FranceConnect while introducing a lightweight, modern architecture.
This talk will present the story behind ProConnect—from its origins as an open-source fork of FranceConnect to the motivations that guided its redesign. We will provide a high-level overview of its main components (identity management, federation, moderation workflows, administrative tools) and demonstrate how the platform operates in practice.
A particular focus will be placed on the identity broker layer and its technical foundations, including the use of panva/node-oidc-provider, panva/openid-client, and related tooling. We will look under the hood at how ProConnect implements current practices in identity federation and how its evolving architecture continues to take shape through ongoing development.
Each month it seems we are made aware of a break in security. Some report of a data base of identity information that is reported as captured by an entity of some type. Lists of passwords, ID numbers, bank account information, credit card information. And these are only the ones we hear about, since many of these break-ins are not reported, or kept quiet.
Often we hope that the data is encrypted, but as we all know quantum computers are coming quickly and quantum computers can take present-day encrypted data even with the highest key lengths and break them in minutes which would have taken conventional high performance computers centuries to break.
Another threat comes from the sovereignty of your system and data. While many cloud companies have put additional servers in various countries (even yours) the companies that generate that software (often closed source) are headquartered in the United States and therefore under US laws like the Patriot Act.
You want a system that is made with Open Source, which allows you to run it on standard equipment that you can inspect, in the country that you want to run it.
A system that puts security first. This talk will detail such a system.
SUSE’s IAM evolution mirrors its corporate journey, beginning with deep dependency on Novell (later MicroFocus) Access Manager, following its transition to independence.As the organization grew, individual departments adopted several tools to solve immediate authentication needs.
This led to a proliferation of unmanageable authentication silos across customer portals, partner networks, and internal employee systems.Recognizing the inefficiencies and risks of this fragmented landscape, SUSE IT has set the goal to consolidate these scattered silos by unifying identities into a single, modern governance solution.
Authentik: https://goauthentik.io/ 389-ds: https://www.port389.org/ PostgreSQL: https://www.postgresql.org/ Patroni: https://patroni.readthedocs.io/en/latest/ RKE2: https://docs.rke2.io/
Passkeys are now first-class citizens on Windows, macOS, Android and iOS - but the Linux desktop still has no standard FIDO2 platform APIs for browsers and native apps.
This talk presents Credentials for Linux (github.com/linux-credentials), a cross-desktop effort to bring Passkeys and other credentials to Linux in a way that works for sandboxed apps and browsers alike.
We’ll cover:
- Very short refresher on passkeys & platform authenticators: Why WebAuthn/FIDO2 passkeys matter, what platform authenticators are, and how this is solved on Windows Hello, Android and Apple platforms today, and the current state on Linux.
- Architecture of Credentials for Linux
- libwebauthn: a Rust FIDO2/U2F platform library with support for USB, BLE and Hybrid authenticators (ie. Android & iOS smartphones), designed with pluggable transports and passkey features such as resident keys and user verification.
- credentialsd: a D-Bus service and proposed XDG portal for credential management, including a reference UI, Firefox integration (web extension + patched Flatpak build) and distro packages via OBS (Fedora/openSUSE).
- What this looks like for apps and browsers: Demo and design walkthrough of a sandboxed Firefox using credentialsd to talk to hardware security keys and phones, and how native applications can use the same D-Bus API.
- Roadmap, open problems and call for collaborators: TPM-backed platform authenticators, origin binding and unprivileged APIs for browsers, and how we’d like to work with GNOME, KDE, Flatpak, password managers and distributions.
The talk is aimed at people interested in identity and access management on the desktop: browser and desktop maintainers, distribution engineers, security practitioners and anyone who wants to help make passkeys a first-class citizen of the Linux platform.
If you've ever used Cockpit you might know of the different authentication methods it currently supports. It can be pretty much anything, such as username and password, Kerberos, public keys, single sign-on, or smart cards. But given the nature of Cockpit being a web-based interface we can only support public key authentication through our Flatpak package called Cockpit Client as browsers themselves are sandboxed and can't access your system keys.
I dislike password authentication when SSHing into a machine but need it for Cockpit access through the browser. Let's see if passkeys can save the day with the help of sssd and FreeIPA!
Cockpit is a web-based graphical interface for server management of a variety of Linux distributions. Our modifications of the system are made using system APIs and commands with our authentication functioning in the same way with the help of PAM modules.
https://cockpit-project.org/ https://sssd.io/ https://www.freeipa.org/page/Main_Page https://flathub.org/en/apps/org.cockpit_project.CockpitClient
The world is moving toward more modern and secure authentication methods. This transition is driven by a global push for Zero Trust Architecture (ZTA), which many organizations are adopting as a security mandate.
In this context, the FreeIPA, SSSD, and GNOME Display Manager (GDM) ecosystems have been working to meet these evolving demands.
As a result, GDM has received several improvements to enhance the authentication experience. Two new mechanisms have been added: passkeys and external IdP (web login). Users can now choose among the supported authentication mechanisms, and the PAM conversation has been extended to support this new scenario with multiple authentication options.
In this talk, we’ll cover what the GDM authentication architecture looks like and how it handles PAM conversations. We will discuss the new PAM extension that uses JSON messages to support these mechanisms, the changes made in GDM to allow selecting different authentication methods, upcoming enhancements, and provide a demonstration of the current implementation.
An ongoing effort to reduce potential attack surface on privileged components of system administration by rewriting them in modern programming languages or introducing new components creates additional problems as well. The system management at scale requires centralization of the access controls, yet most of the new tools do not have such capabilities or don't really concern with such use cases.
In this talk we'd reflect on our experience of supporting large organizations relying on the infrastructure provided by FreeIPA and SSSD.
SSH is the default access method for Linux servers, typically configured with passwords or public/private key authentication. However, in large multi-user deployments, these methods have significant drawbacks: security of private keys on unmanaged clients, key management on the server side, and the difficulty of integrating multi-factor authentication.
Alternative methods exist but are not always easy to implement. In this talk, I compare two of the most promising approaches—OpenSSH certificates and OpenPubKey (OPKSSH)—based on a recent evaluation for a multi-user compute cluster with dozens of machines and hundreds of unmanaged clients. I discuss the advantages and limitations of each approach, including client configuration, required additional software, and operational complexity.
The presentation includes live demos illustrating how each method works from both the client and server perspective, and a closer look at the inner workings of SSH certificates and OPKSSH.
Links: https://www.openssh.org https://github.com/openpubkey/openpubkey https://github.com/openpubkey/opkssh
Linux-PAM (Pluggable Authentication Modules) is a crucial but often misunderstood component of modern Linux systems. This talk provides a comprehensive introduction to PAM, explaining how it enables system administrators to configure authentication, account management, session setup, and password policies without recompiling applications.
We begin by exploring the problems PAM was designed to solve—hardcoded authentication logic, inflexibility, and inconsistent security policies across applications. The talk then covers PAM's four management groups: authentication (verifying identity), account management (checking access restrictions), session management (setting up user sessions), and password management (enforcing password policies and token changes).
Attendees will learn how to read and write PAM configuration files, understand the behavior of different control values (required, requisite, sufficient, optional), and leverage advanced control syntax for complex authentication flows. Special attention is given to the "frozen stack" concept—a frequently misunderstood behavior where PAM fixes the module sequence during the first API call.
Through real-world examples and practical configuration insights, attendees will learn how to troubleshoot PAM issues and understand the impact of PAM configuration changes.
Beyond understanding current PAM functionality, the talk explores the future of PAM: potential enhancements to address modern authentication needs, architectural improvements and the challenges that stand in the way of evolution. We'll discuss compatibility constraints, the need for backward compatibility with existing deployments, and the tensions between maintaining a stable API and introducing new features.
This talk is suitable for system administrators, security engineers, and developers who want to understand and effectively configure PAM-based authentication on Linux systems.
bind-dyndb-ldap is a dynamic database plugin that allows the BIND DNS server to store and retrieve all DNS zone and record data directly from an LDAP directory server. This deep integration is essential for centralized identity management solutions, particularly in FreeIPA setups.
To achieve its function, bind-dyndb-ldap must utilize BIND's internal, lower-level APIs. When a recent major BIND release introduced significant breaking changes, what began as a simple compilation bug because of a missing header quickly escalated into a massive technical challenge. The core problem: adapting years of legacy code to the new BIND server architecture.
This talk will cover the challenges of planning the redesign, how we faced the technical challenges when adapting old code to modern APIs and the lessons learned through the journey.
https://pagure.io/bind-dyndb-ldap https://github.com/freeipa/freeipa https://www.isc.org/bind/
In modern identity-centric infrastructures, DNS is a critical—but often overlooked—component of a Zero-Trust Architecture. This talk, positioned within the IAM devroom's core infrastructure and security track, explores how environments that rely on FreeIPA as their authoritative DNS can adopt encrypted DNS end-to-end without sacrificing performance or operational clarity.
We present the results of our work integrating encrypted DNS across Fedora systems and Kubernetes clusters while seamlessly interacting with FreeIPA's BIND-based DNS service. Throughout this process, we identified key integration challenges, their practical resolutions, and the tangible security benefits gained from encrypting internal DNS traffic.
To validate the feasibility of this approach at scale, we performed extensive workload and performance tests—covering multiple orders of 1,000+ DNS requests per second—comparing encrypted vs. non-encrypted scenarios. These tests demonstrate how to achieve stronger security guarantees without imposing unacceptable latency or throughput penalties.
As part of this effort, we extended FreeIPA's DNS service with Prometheus-ready metrics, enabling real-time visibility into encrypted DNS performance, request patterns, and system-level statistics. These observability enhancements provide operators with the data required to meet and maintain Zero-Trust mandates.
By the end of the talk, attendees will understand not only how to deploy encrypted DNS in hybrid Fedora and Kubernetes environments, but also how to measure, validate, and operationalize it in a way that fully aligns with Zero-Trust principles.
Building FreeIPA’s modern WebUI meant leaving Dojo behind for React, but we couldn't leave our robust authentication capabilities behind. We needed to bring password, OTP, Kerberos, and certificate support into the new era. This raised a fundamental question: how do we translate these complex legacy flows into clean, modern code?
We invite you to explore this adaptation journey with us. We’ll discuss shifting from scattered widget logic to unified Redux state management and declarative components, while reimagining our API layer. This process didn't just replicate old features—it evolved them, delivering a more secure and optimized codebase through the power of strict type safety.
-- At first it was a funny idea to give AI a try --
With the help of Claude a new light weight CA backend for FreeIPA has been created. It is written in Python and uses python-cryptography. The the goal is full dogtag compatibility for use with FreeIPA.
The talk will show the journey: The experience with AI, the good and also not so good steps and results. In the end the actual state will be shown.