[Feature]: IdP modules

[beargiles]

Module

None

Problem

There do not seem to be any IdP-related modules. This limits the ability to test authentication code, and as a secondary effect means that this project can't be used as a model for organizations developing their own docker compose/swarm with IdP-related services.

Solution

The initial modules would be LDAP, DNS, Kerberos KDC, CA, PKI, possibly with multiple implementations.

We should also consider a FreeIPA module (which combines this functionality) if it now supports running within a docker container, and/or the limitations won't affect its suitability for testing.

Pull request 9225 is a minimal viable product for LDAP but support for TLS should be added before merge.

Benefit

This limits the ability to test authentication code, and as a secondary effect means that this project can't be used as a model for organizations developing their own docker compose/swarm with IdP-related services.

LDAP is still heavily used in the enterprise, esp. with the Active Directory extensions.

The CA/PKI modules may be heavily used by developers since they would provide a clean way to create the set of related encryption keys and digital certificates required by many services. E.g., a server may require the server and client certs have the same parent CA certificate.

The Kerberos KDC module could be used to test Hadoop ecosystem authentication. (I also have Hadoop modules under consideration, although they'll have limited functionality compared to Cloudera.)

This could be followed by FreeIPA (equivalent to Microsoft Active Directory), assuming the issues running it in docker containers have been fixed.

Additional modules could include OAuth and JWT. It's possible to write standalone modules for those today - but in an enterprise environment there may need to be corresponding information in IdP services.

Alternatives

A few of the services can be run as embedded servers, e.g., see Spring Security :: LDAP, but this lacks the power of TestContainer modules.

Would you like to help contributing this feature?

Yes

[beargiles]

I should add that since the initial focus will be mimicking Active Directory and peers we may want to start with a new Directory Services category instead of the broader 'Identity Provider' category. The latter can be added later, with OAuth, JWT, etc. This term will be more familiar to enterprise developers.

IdP will be more familiar to the security team and to a lesser extent the web/cloud developers. (They may be focused on just the OAuth, JTW, etc.)

As I mentioned above the new category will reduce the clutter on the page listing modules.

[eddumelendez]

Closing this issue in favor of #9225