FreeIPA identity management

Federating identity management with users/groups maintained in FreeIPA and passwords authenticated via SSO to an SAML-compliant identity provider (IDP) provides the necessary backbone infrastructure needed for CDP services, without requiring you to expose your on-prem identity management system over the network.

What is FreeIPA?

FreeIPA is an open-source product that combines four identity management capabilities:
  • LDAP directory: a common user directory so that all services in both the SDX and workload clusters can consistently resolve users.
  • Kerberos KDC: a single common Kerberos realm so that services can authenticate each other, within and between clusters. Kerberos is also used as a user authentication mechanism by some services.
  • DNS server: a relatively simple way to discover and reach shared services in an SDX cluster from various workloads.
  • Certificate Authority (CA): some services secure communication channels with TLS, which means they need certificates. A shared CA allows CDP to establish a common trusted root for all connected workloads.

Identity management with FreeIPA

IPA is an identity management framework used to assert who a user is. A subset of users and groups are replicated into IPA (and propagated to the nodes via SSSD). Making the users and groups available on the nodes with consistent user names enables security policies to be migrated from on-prem to the cloud. Users and groups are imported from on-prem and principally managed from the Control Plane UMS (User Management System,) with IPA providing the backend propagation.

FreeIPA prerequisites

For IPA to work, you must have:
  • An AD on-prem or a central LDAP where relationships between users and groups are maintained.
  • A SAML identity provider (e.g., Okta or KeyCloak) that can be leveraged to authenticate users and import their groups.

How FreeIPA works

The following diagram illustrates how FreeIPA works: