From c6a16a7e537c30a348ea00d657256c0a94171572 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Nov 2022 13:27:00 +0100
Subject: [PATCH] docs: add security section to idp

Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 doc/designs/external-idp/external-idp.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/doc/designs/external-idp/external-idp.md b/doc/designs/external-idp/external-idp.md
index 0b0176933..fa5b300f4 100644
--- a/doc/designs/external-idp/external-idp.md
+++ b/doc/designs/external-idp/external-idp.md
@@ -497,3 +497,23 @@ and calls out to the `oidc_child` process to verify the user identity against an
 associated IdP.
 
 [idp-api]: idp-api.html
+
+## Security
+
+* communication between Kerberos client and KDC happens over FAST channel
+* communication between KDC and FreeIPA (`ipa-otpd`) happens over root-owned
+  UNIX domain socket
+* communication between `oidc_child` and IdP happens over `https`
+* no authentication tokens are exchanged between client, KDC and FreeIPA
+* IdP server URLs can only be set by administrator
+* IdP server URLs are not auto discovered, they need to be added manually
+* user authenticates to the external identity provider using the method required
+  by the provider, FreeIPA does not have any control over the selected method
+
+### Recommendations
+
+* administrators must thoroughly check all URLs they add when creating the IdP
+  server
+* users must check that the presented device authorization URL is correct and
+  that the authentication happens over secure channel (usually `https`) with
+  valid certificate