 You can use four scouts. You can use four scouts. Hello everyone. Here are some free posters if you want. When you come during the presentation, please close the door as quietly as possible. If you want to evaluate the sessions, you can visit this link. And please tweet about the blog posts about the conference, of course. And I should promote the grand finale at the end of this conference at 16.30 at the 105. And now please welcome Patrick with Epsilon. I'm Patrick. I wanted to tell something quick about a project I've been working on with some of the people in this room, Simo and Rob, mostly, for Federation. So a very short introduction to what is Federation, because probably most of you have already seen a live instance of it. If you have a lot of services running, for example, you're a big company, or like Fedora, you're a big project that has a lot of different services. But you don't want everyone to have to create an account for every one of them. That is where Federation comes in, because you basically ask, you add a service in between which acts as a proxy between the account system and the services to authenticate the users. Who here has a Flora contributor? Yeah, so if you ever used any of the Flora services, you have used this with the login system that you use to log into basically every service we run in Flora. Which is based, by the way, running on Epsilon. So normally with Federation, you visit a website which wants you to log in. It redirects you back to the authentication system where you enter your username and password. And after that, you drop back to the application, verified by the authentication service, and you are logged in to your account. So Epsilon is an implementation for that, which has a lot of different protocols supported, like SAML 2, OpenID persona, which, by the way, is going to be aborted by Mozilla, but we'll see how we deal with that. I have a patch for OpenID Connect, and I'm just waiting for a review from any of the other maintainers. Which we would do during DEF CONF. So at the back end, it supports Flora account system, which is what probably most of you know. GSAPI, so Kerberos authentication for single sign-on enterprise environments. PAM, so you can actually just use any module you can use in Linux to log a user in. You can use it as an identity back end for Epsilon and just plain LDAP. And well, because we have LDAP and GSAPI, we also support IPA, because that's just using both of those services. And we even have a very simple way of setting it up, and I'll try to show that later. So for information, it can get information for users from an LDAP directory or from a local SSD daemon. And that's just to provide the information, because, for example, PAM modules don't provide any information about the users. So you can use PAM to authenticate and then LDAP to actually get information about the user to provide to the service providers. And a few of the service providers that we've actually tested are GitLab, OpenStack. Basically, this list, we are very sure that those work, all of the others should work if they conform to the specification of the protocols that we are using. And I'm going to try to show at least some of them in a bit. So as I said, we're currently working on OpenID Connect. We're trying to add some more APIs, because currently you can add a service provider programmatically. But we would also like to be able to modify them via an API so you can automate it within, for example, config management tools. And we are currently busy on writing documentation and examples of how to set it up with various services. So I can tell you that it does all of this. Let me now try to show you that it does. So one of the first ones that I actually tested myself is Google Apps. So this is a Google Apps domain. Let's see if the network actually cooperates. It doesn't look like the network is up. Yeah. Let's see if the, sorry. DNS works. I need to access. So this is a production, it's an instance that I'm running for my family mostly. And let's see if I entered the puzzle correctly. And there we go. So you have now seen that this works with Y. Let's try another example. Another one is GitLab, which some of you might know. And because I had already logged in at the other one, it automatically recognized me and locked me into GitLab as well. Now let's try one of the more, the example that I've been asked for a lot. Let's see if my VMs booted up. Okay, I guess not. Did the VMs boot? Yeah. I wonder if it even started everything. It seems to, did I? To open stack, some of you might notice, since this is another instance, it did not automatically lock me in. Because I wanted to at least have something in case all the internet failed. I don't care about certificates. And it did not work. Whoa. Yeah. Okay, so the last example or demo that I wanted to give, and I hope that this one does work, is basically demonstrating off. Why doesn't it continue? So I wanted to show how easy it is to set up epsilon with just two single commands to set up both the server and the client in one go. This is a short identity. I think I can. I actually got learned of that a week ago. These are also my slides, but apparently that didn't work. Just these two commands are everything you need to set up an epsilon server and a client. So let me copy this into the server. Yeah, that's the only thing I set up before is an IPA demon, which the identity server is a client of the IPA server. The other one is not. So do you set up? You can. You can do either. The other one that I just showed you that should have worked with OpenStack was running on the same box as the IPA machine. Okay. So this installed epsilon is gtpd restart code is entire Firefox session crashed. Did I use, oh, this is the wrong box for this test. That's the wrong box. Yes, which is what I just did again. And I think I just blew away my OpenStack test. Well, okay. So yes, you can install on the IPA server. Okay. Who's name? Who's name? Now epsilon server is running on the correct server. And then we have a another server as a secret. I'm very imaginative with names, as you can see, popping in Cresma clients isn't going to work. What I'm currently installing is the client which is authenticating against epsilon, because what I just installed is the server. So the part that is doing the user login and checking. This is the command to set up a server that will authenticate against it. Sorry? Yeah, not inclined in the server we do. And here I do use identity. I'm messing up my server names all over. So because I just reinstalled it, I need to restart htp which I didn't. So just, what? Okay. This command should be the only thing you need to do. I probably messed up my server names and messed up my servers. My testing instance is in process. Sorry, is it in the last trend? I think so, yeah. That's what I said. I think I'm messing up my server names. Yeah. Admin password, service, htp restart. Sorry. That was a password of an administrator that can add service providers to epsilon. Yeah. I haven't set up any other admins. So if you have index.html, my secret page. I'm very imaginative. So secret, secret. I don't care about certificates. So now it forwarded me to federation. And I can, I'm not sure if I set up a testing account here. Let's not try it. And here we go. My secret button. So with just those two commands, you can set up an entire epsilon server and client which authenticate against it. And we actually, yeah, I have some. This is crashed, but basically that was my demos. I think on my slides you will see the same two commands listed, but I can't go there right now. Are there any questions so far? Sure. That's eight. Federation slash IDP. Oh, right. Right. Yes. Because we only allow HTTPS. So a normal user would not see you come probably. This is basically the main page of epsilon of a older version. The version that's currently in rel and sent to us seven. You have a administration button, which is not visible for users, obviously. And a button to log out. Administration will give you a nice overview of which part, which plugin to do. And enable you to enable or disable specific plugins after installation if you so want to. And for example, for Seml, you can manage the list of service providers. And as you see, it automatically added the one that I just created here. Does the client start to integrate with 3.0 panel or something like that? Yeah. Yeah. The OpenStack CLI should work with it. Not here because of the Wi-Fi. Yeah. And I wish I could have shown that. So for more demos about epsilon, watch Alexander's talk. And one other thing if that. Oh, no, I just blow away my other one. I was going to show something else on my other box, but I blow that away. So are there any other questions? If not, then thank you for... Oh, wait. This seems to be a... The question was how it compares to Keyclo. Yeah. At the same time. So Keyclo was started focusing on the administrative development of demo on the ordination. So sort of an extension of the internet. Keyclo was coming from the other side from the individual where it means developer needs to provide a very simple and very easy to do those projects. So it was not much for that. It was coming from a point of view. So to come to the middle ground. And by the end, it's more like development friendly. And this is more like industry friendly. But there's sort of a conversion because Keyclo can implement SAML. While epsilon can implement SAML now. Keyclo can open any connect. Keyclo can open any connect. So they are like closing and having pretty much in the same space. It's up to you to choose. And there's another difference. Well, at least epsilon is able to pick up additional low-posting subject. Email addresses. That provides... Isn't this in the app? Keyclo, there is an app right to close it. Yeah. So the important part here is that if your application, if it's using SAML, it would work with epsilon. And then the question is, whether the senate depends on purely your demos and administration needs and how far you will go. So one of the videos I've uploaded, Active Directory, the Active Directory user is kind of thrown as trusted by IP. This is something that Keyclo currently cannot... Outside of the app, on itself, they have access to your community. Like your login to the system. And you are going to get carried through that whole process. And you can be Active Directory user. While your service for your epsilon in the U.S. is running at inside IKMMA. And there is cross-couplers trust between the two. So I've got an idea. On your laptop that is in the department of IKMA and service is in the department of IKMA. And we, the user who is in the Active Directory looking for your steed here, then you access a service that requires SAML. And it will redirect you to epsilon. If epsilon will consume your current steed here, you should do a SAML assertion. We direct back that all problems behind the scenes with protocol conditioning and trust and all over the... across the firewalls. So you don't see all the states, all these complexes which has never happened to you. Any further questions? So this version of the setup process automatically uses a local SQLite database. If you pause on one extra argument, dash dash dp dash url, you can actually just give a database server url where it will then use those databases. And then you can just put it on multiple servers. Put, configure them to use the same databases and that should be it. So the only change would be to make it not use SQLite because that doesn't scale well. Yeah, you can use either DNS round-robin or HAT proxy, which is actually what we have live in thorough infrastructure. Yeah. How does it authenticate a day? How long does it scale in thorough infrastructure? I think a few thousand authentication today. We have no exact numbers because we do not keep those logs because that's security sensitive information, but quite a few. And it's been working there for about a year now, I think. Yeah. Okay. Yeah, I don't know when we transitioned exactly. Any other? I'm not seeing any hands. Let's try it again. Thank you very much for... Thank you very much for a while. Not many people actually have a vision on it. That's what I thought. Talk about it, too. Thank you very much. Thank you. Yeah, probably this week. If you want to, I can get from my car and we can get in touch with me. You're welcome. Patrick, you want to say hello? I'm Roman, Roman Juice. I'm currently working with the Pico team from Brisbane. Okay. So I remember when you set up the last one. Right, yeah. I remember seeing your name somewhere. So I thought I'll just say a little bit. Yeah, that's awesome. Thank you very much. Identity team? Just for its one. For the other things, I meant for infrastructure. That's my main occupation. Day job. Because I remember when you set up the Pico server. Yeah, I've probably set up a lot for the people. Sorry, I don't remember. He's one of the three fedoras this admins, basically. So basically, he sets up most of the services. Yeah, cool. Thanks again. Sure. Can I take the water bottle? Yeah. It's so annoying, dad. One of the most important demo lights. I hate open back. Yeah. Next one. Yeah, okay. You want to try putting it on your computer? My confirm that it is. You want to say? Okay, very enough. Cool. Yes. Hey, how are you? Yeah, I'm good. Happy to be here, dad. I come here every year. That's great. Since 2010? 13. All right. I am here until... I'm coming only tomorrow, like that. So I'll stay there for like two days. And party that day. That's great. I have never come to check the public. For me, it's like 10 to 12 days straight. Because most of the time, when I come to you, you check the... That's me. Don't talk. All right. I'll be there when I join you. I need to check out the rest of the program. All right, see you around.