Dear LazyFedi, I'm looking for a #SaaS solution that acts as a kind of #SSO multiplexer.

I have 4 Microsoft tenancies, and I can map users to tenancies by email address. What I want is something that acts as a single frontend to all of them for #SAML / #OpenID logins.

I need this to set up SSO for some of our other SaaS products which only support one provider.

(NB: this needs to be SaaS, UK/EU based. I'm not able to self host anything in this context)

#Authentication #AuthN

With Bitwarden, you can store your SSH keys and use the desktop app to expose a SSH agent socket.
Some SSH servers have a MaxAuthTries configured with a low value.
If you use a SSH agent loaded with more keys that the MaxAuthTries value, and the required key is not in the MaxAuthTries first tried keys, you get an authentication error.
In CLI, you just pop a new SSH agent, load it with the "only key you need" and off you go.
With Bitwarden, you cannot do that (I think).

I have been thinking about implementing a SSH agent proxy that connects to Bitwarden, lists the keys available, and create a new agent per listed key, answering only for that key.
You could then configure SSH to use that SSH agent socket or that other SSH agent socket depending on the host you connect to, with IdentitiesOnly and an IdentityAgent pointing to the right SSH agent socket.

What do you think? Would you use that proxy?

#Bitwarden #infosec #ssh #authn

So I started to look over again for self hosting #oidc #authn. #pocketid, #voidauth, and #hanko are the simplest. All #passkey focused.

Yet still, Pocket ID is by far the easiest to run. Strictly Unix like focused on doing one thing. But doing one thing really well. 😎

https://pocket-id.org/

Indy a implémenté le support des passkeys sur son site. Trop cool. Sauf que...
Iels ont décidé d'ajouter un algorithme de détection de la prise en charge des passkeys, pour simplifier l'UX des utilisateur·rices naviguant depuis un système/navigateur non compatible. Et c'est la catastrophe.

1) l'algo de détection est foireux et renvoie un faux négatif sur des navigateurs parfaitement compatibles

2) quand on ajoute une passkeys depuis un navigateur compatible, celle-ci n'est pas demandée pour s'authentifier depuis un navigateur détecté comme non-compatible => bypass de la mesure de sécurité.

Voilà un excellent exemple de comment NE PAS implémenter les passkeys. Soyez cons : n'ajoutez pas de logique inutile, et dites bien à vos ingé UX d'aller paitre ailleurs quand il s'agit de sécurité.

PS: J'ai longuement échangé avec elleux en vain. Ce post fait suite à l'échec à leur faire comprendre le problème, à plusieurs reprises.

#passkeys #infosec #indy #authn

Excited to be speaking at @fossasia
🚀 This year, I'm diving deep into Identity and Access Management (#IAM) for #OSS.

All are welcome and I encourage all knowledge levels to attend: Don't be intimidated by "advanced security"! I'm breaking down complex concepts into easy-to-understand explanations, with a historical perspective to give context.

1️⃣Explore #AuthN #AuthZ 🔐
2️⃣ @keycloak Primer 🌐
3️⃣Best Practices for #OSS 🛡️

#FOSSAsia2025

iRODS PAM Interactive Authentication Plugin v0.1.0 is released!

https://irods.org/2024/08/initial-release-of-the-irods-pam-interactive-auth-plugin/

#irods #cpp #authn #pam #openid #kerberos

Interesting attack method. "They are merging, wonder if they screwed up transfer? Yup."

https://www.theregister.com/2024/07/15/squarespace_fingered_for_dns_hijackings/

#squarespace #dns #authn

“At this point I think that #Passkeys will fail in the hands of the general consumer population. We missed our golden chance to eliminate passwords through a desire to capture markets and promote hype.”

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

Big sadge 😭

#infosec #authn #webauthn