Helping compagnies secure their BTCPayServer through SSO #4428
Zaxounette
started this conversation in
Ideas / Feature Requests
Replies: 3 comments 4 replies
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
OIDC or SAML would bring BTCpay to another level. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Intro
Definitions
This discussion will require unfortunately a lot of industry buzzwords, so here are the definitions for those of you who might not be familiar with them.
Definitions
SSO
Identify Governance and Administration (IGA)
Identity Providers (IDP's)
Service Providers (SP)
SAML
OIDC
2FA/MFA
TOTP
Intro to SSO
Identity governance is a big subject in the corporate and enterprise world, and identity tools from Azure Active Directory, to cloud identity providers (IDP's) like Okta, OneLogin, Veriff, Oracle, IBM and open-source identity servers like KeyCloak and OpenIAM are commonly used in the corporate world to help secure and manage access to day-to-day tools that said company uses, typically called Service Providers (SP's).
IDP's can only help secure tools that support one or the other Single-Sign-On standard.
Typically two major standards are supported: SAML 2.0 and OIDC.
SSO also replaces the use of 2FA/MFA/TOTP tokens on logins, although MFA tokens can still be used in parallel to access specific URL's or advanced or security sensitive dashboards in the SP tool, if necessary.
Intro to Identities
Typically, when we think of identities, we think of government approved identities like the ones seen on government ID's.
IDP's do not support specifically government approved identities, and you can create your own identity through their products. Personally, I use my handle as an identity and email, and it works perfectly fine.
The entry point to identity usually requires an email, but open-source IDP's like Keycloak or OpenIAM can be forked to add LNurl Auth as an identity mechanism as well, for the more technically enabled end-users that wish to switch out of the government approved identity mechanism.
In such a case, LNurl Auth would be used as an identity mechanism in the IDP itself, and would not be used in BTCPayServer for example.
Proposal
Add OIDC or SAML 2.0 support into BTCPayServer. That's the MVP.
Additionally could include:
Optional pre-requisits to SSO, to make it easier to manage for end-users are:
Benefits to the end-users of BTCPayServer
Enterprise or Corporate setting
Compagnies are typically locked in a regulatory framework that imposes security methods on them, of which SSO is part of. Implementing SSO support on BTCPayServer will remove a typical rebuttal from Compliance or Security personnel that approve tool purchases in corporate settings.
Technically enabled end-users
Technically enabled end-users can enable Bitcoin industry identity mechanisms such as LNurl Auth and any future invention into their self-hosted IDP's without needing to fork and maintain their fork of BTCPayServer.
Benefits to the BTCPayServer project
Feature parity
Integrating SSO can help users identify an open-source project that has feature parity with typical cloud provided alternatives that they already use, or are looking to use.
Easy integration (PM wise)
OIDC and SAML 2.0 being open standards, there is no need to make "partnerships" or agreements with the huge cloud IDP's, and support can be integrated without their knowledge. The end-user wishing to enable SSO would just have to create a simple 3 item custom configuration in their IDP.
Easy documentation
Documenting SSO integrations are typically a one-pager with a few strings to copy, and a few items to configure. Typically from start to finish, SSO enablement takes itself around 5 minutes.
Bragging and shaming rights
That an open-source project like BTCPayServer implements SSO before multi million or billion compagnies in this space like Coinbase, Kraken, Binance (although not in the same niche, but still) and so many others can give us some bragging and shaming rights on social media.
Beta Was this translation helpful? Give feedback.
All reactions