docs: add security section to idp

Related: https://pagure.io/freeipa/issue/8805 Related: https://pagure.io/freeipa/issue/8804 Related: https://pagure.io/freeipa/issue/8803 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-24 07:06:37 -06:00 · 2022-11-10 13:27:00 +01:00 · 2022-11-10 13:27:00 +01:00 · c6a16a7e53
commit c6a16a7e53
parent dbebed2e3a
1 changed files with 20 additions and 0 deletions
--- a/doc/designs/external-idp/external-idp.md
+++ b/doc/designs/external-idp/external-idp.md
@ -497,3 +497,23 @@ and calls out to the `oidc_child` process to verify the user identity against an
 associated IdP.

 [idp-api]: idp-api.html
+
+## Security
+
+* communication between Kerberos client and KDC happens over FAST channel
+* communication between KDC and FreeIPA (`ipa-otpd`) happens over root-owned
+  UNIX domain socket
+* communication between `oidc_child` and IdP happens over `https`
+* no authentication tokens are exchanged between client, KDC and FreeIPA
+* IdP server URLs can only be set by administrator
+* IdP server URLs are not auto discovered, they need to be added manually
+* user authenticates to the external identity provider using the method required
+  by the provider, FreeIPA does not have any control over the selected method
+
+### Recommendations
+
+* administrators must thoroughly check all URLs they add when creating the IdP
+  server
+* users must check that the presented device authorization URL is correct and
+  that the authentication happens over secure channel (usually `https`) with
+  valid certificate