SAMLv2 or OIDC authentication with on-premise solutions

Hello,

Thank you for your request. Having a generic OIDC authentication implementation is not something planned. When we discussed this in the past, the response was always the same: we do not want to support just the authentication part, but also the group definitions and permissions. Customers wish to import groups and manage security with those groups. Thus, even if we add a generic implementation, we feel that the group aspect would be lacking. We have already implemented SCIM in another project, but we encountered issues and difficulties. This is why we implemented specific options (EntraID, Okta, and PingOne). If you do not want a cloud solution, you're correct, only Windows authentication is an option. Why is it not a suitable option for you?

Best regards,

Our authorities require us to remove the NTLMv2 protocol from our infrastructure.

Is it possible to configure Password Server with the Kerberos protocol?

Also, wouldn't it be possible to use an IDP On Premise (ADFS, PingFed etc...) as well as to use AD groups based on the MemberOf property when authenticating?

Hello,

When you use Windows authentication, NTLM and Kerberos are negotiated. There is nothing to configure in Devolutions Server for that, but you must configure your domain/Domain Controller (DC) to disable NTLM and accept only Kerberos. Would this work for you?

Supporting other IDPs on-premise would be possible, but we do not have that work planned for the short to mid-term. I'm taking note of your request and will follow the thread to see if there is interest from our community.

Best regards,

+1

SSO/Auto login through Windows Integrated Authentication has gotten a hassle to set up.
I would like to set up OIDC to Authentik, and it does support group membership.

Regards.