I attended the FOSDEM conference in Brussels from February 1st to 2nd. As one of the world’s largest open source conferences, with over 8,000 attendees and 70 devrooms, FOSDEM provided an invaluable opportunity to connect with communities and organizations using our software. These in-person interactions are particularly important as they often represent one of our only chances to engage with these groups throughout the year.
This year it was the 25th anniversary of the event, and as such there were special celebrations. The opening talk happens at Janson auditorium, with a capacity of 1500 seats and packed to the rafters, including lots of people standing in the sides and the back. This year there were more than 1000 talks, and almost as many speakers (900+), thus making it a great place to reach a very wide audience.
| Janson auditorium during the initial keynote |
Identity and Access Management devroom
Alexander Bokovoy and I managed the Identity and Access Management devroom for another year, and the interest was overwhelming. We received over 30 talk proposals, showcasing the diverse landscape of IAM. The 16 talks we selected spanned the field, from practical deployment challenges and complex infrastructure integrations (including AI/HPC) to emerging areas like federated identities, passwordless authentication, and digital certificate lifecycle management. The larger devroom (increased from 80 to ~250 seats) was a welcome change, comfortably accommodating the consistently high attendance.
Without further ado, let’s jump into the topics presented by Red Hatters.
Welcome to the Identity and Access Management devroom! by Alexander Bokovoy and Iker Pedrosa: Short self-introduction of the main devroom leaders, where we explained what the devroom would consist of and give some tips on how to proceed to the speakers and the audience.
Heimdall: An Identity-Aware Proxy for Secure Access Control by Dimitrij Drus: this presentation explored the components of a decentralized access control system and the integration challenges posed by diverse protocols and services. The speaker introduced Heimdall as a solution designed to abstract these complexities and simplify the definition of business logic. A demonstration illustrated Heimdall’s capabilities.
Partly Cloudy IPA - joining cloud VMs to FreeIPA by André Boscatto: the speaker did a fantastic job explaining the authentication and authorization challenges of connecting cloud VMs to FreeIPA. They made the benefits of the Podengo project crystal clear, and the diagram and demo of the launch and connect phases were super helpful. It was great that he also pointed out other related talks in the same devroom.
Deep Dive into OIDC flows by Milan Jakobi: this presentation offered a practical overview of OAuth, explaining how short-lived tokens are used for resource access in servers. The speaker used clear diagrams to illustrate the workflow, presented a relevant real-world use case, and shared valuable insights from their own experiences, including lessons learned from past mistakes. The room was nearly full for this informative session.
Nubus: An Enterprise Open Source IAM Stack in Kubernetes by Daniel Tröder: this talk about digital sovereignty and Nubus was great! The speaker did a fantastic job explaining what Nubus is and how it works. And the diagrams were excellent (I love a good diagram!). It was helpful to see how standardization of interfaces and data plays a key role. The demo brought everything together nicely.
ACME Certificates with FreeIPA: Simplify SSL/TLS Management by José Ángel de Bustos Pérez and Josep Andreu Font: the talk covered a wide range of topics related to SSL/TLS certificate management, from explaining the ACME protocol and certificate lifecycle to addressing limitations in FreeIPA/Dog Tag and showcasing real-world use cases. The numerous demos were incredibly helpful, walking the audience through every step of certificate issuance, re-issuance, and revocation.
systemd’s User Database API by Lennart Poettering: this talk was a really insightful look at a new API for providing user records. The speaker did a great job explaining Varlink and how the user database works. It was a super interactive session, which made it even more engaging. I loved how he showed how easy it is to extend the JSON-based user records and how they’re making sure sensitive fields are kept privileged and secure. Plus, it sounds like it integrates really well with existing environments, which is a huge step forward.
Federated Identities Anyone? We’ve got lots of them… by Stephan Schwichtenberg: this talk offered a really valuable perspective on the challenges and solutions surrounding digital identity exchange. The speaker highlighted the prevalence of digital identities and the necessity for secure exchange methods. He provided a clear explanation of how techniques like additional random identities and intent tokens can address privacy concerns. The presentation also included a crucial discussion of potential security risks, such as malware and DoS attacks.
SSSD and IdPs by Sumit Bose: this talk was a fantastic introduction to SSSD! The speaker did a great job explaining what SSSD is, where it came from, and why it’s so useful. The presentation covered how to integrate OIDC/OAuth 2.0 based IdPs with Linux/POSIX systems, which is incredibly relevant in today’s IT landscape. The demo was super helpful, and I think it really helped those in the audience who hadn’t heard of SSSD before understand its value.
| IAM devroom auditorium during one of the talks |
Fine-grained access control in LXD with OpenFGA by Mark Laing: this talk offered a practical look at how LXD is tackling access control in private cloud setups. The speaker explained their clever use of ReBAC and OpenFGA, which is a particularly useful approach for air-gapped deployments. The presentation clearly outlined the implementation details and provided a balanced discussion of the benefits and drawbacks, making it easy to understand the real-world implications.
localkdc - A general local authentication hub by Andreas Schneider and Alexander Bokovoy: this presentation examined the current landscape for centralized authentication in Linux environments. The speakers advocated for the adoption of Kerberos, citing its endorsement by Microsoft through IAKerb and Local KDCs. The implementation of IAKerb within MIT Kerberos for Linux was discussed, as was the concept of Local KDCs. Future development plans, including Kerberos principal aliases and kernel support, were outlined. The active participation of the audience highlighted the community’s interest in these advancements.
OpenBao at GitLab - Building Native Secrets for GitLab CI/CD Pipelines by Alex Scheel: this talk offered a really insightful look at the world of Open Source Secrets Management. The speaker shared a great diagram outlining the project’s history, which was super helpful in understanding its evolution. They then dove into how to manage pipeline secrets in GitLab, which is a really practical application. The architecture overview was clear and easy to follow, making it easy to grasp the key components.
FreeIPA-to-FreeIPA Migration Current Capabilities and Use Cases by Francisco Triviño García: this talk presented a compelling narrative of improvements in the FreeIPA migration process. The speaker vividly illustrated the limitations of the older migration tool and introduced a new tool designed to overcome these challenges with remarkable efficiency. The presentation focused on how the new tool streamlines LDAP schema, configuration, and database migration, making this complex process significantly more manageable. While acknowledging that replica, certificate, and Kerberos migration are still under development, the speaker persuasively emphasized the tool’s flexibility and diverse, impressive migration options. A captivating live demo showcased a complete FreeIPA server migration from scratch, providing a clear vision of its practical application.
Enhancing PAM Communication: A JSON-Based Approach for Modern Authentication by Iker Pedrosa: this presentation, a follow-up to last year’s talk on passwordless authentication in the GUI, explored our chosen JSON-based messaging architecture for communication between the SSSD PAM module and the PAM client. The session sparked valuable discussions, with attendees from other projects investigating similar solutions expressing positive feedback on our design.
Comprehensive Federated Authentication for AI/HPC Infrastructure by Jonathan Calmels: this presentation provided a detailed look at an IAM architecture leveraging FreeIPA and SSSD. The speaker explained the various tools involved and discussed the challenges they are currently addressing. The presentation included a comprehensive architecture diagram and numerous supplementary diagrams.
Delegating the chores of authenticating users to Keycloak by Alexander Schwartz: this talk offered a valuable introduction to Keycloak, beginning with a helpful overview of authentication concepts. The speaker clearly explained the range of possibilities unlocked by authentication and then introduced Keycloak as a solution for managing these capabilities. The presentation included practical examples and engaging visuals, such as screenshots and demos, making it easy to understand Keycloak’s features and benefits.
Building Cross-Domain Trust Between FreeIPA Deployments by Francisco Triviño García and Alexander Bokovoy: this talk offered a valuable update on the IPA-IPA trust feature, showcasing its progress and demonstrating its functionality, similar to existing Active Directory trust relationships. The speakers provided practical guidance on testing the feature with containers and outlined next steps in its development. The presentation gave a comprehensive overview of the current state of the feature, including the ongoing work on passwordless authentication methods. A clear and self-explanatory demo effectively conveyed the feature’s capabilities.
Conclusion
Organizing the IAM devroom at FOSDEM this year was a truly special experience, one that I personally found incredibly rewarding. From the initial planning stages to the final wrap-up, the energy and enthusiasm surrounding the event were palpable. The community that came together, both speakers and attendees, was absolutely fantastic. The conversations sparked were insightful, thought-provoking and genuinely inspiring. It was a privilege to witness such a vibrant exchange of ideas and passion. And, to top it all off, being back on stage to give a talk myself was just incredible! I can’t express how much I enjoyed being a part of this year’s FOSDEM and the IAM devroom.
Acknowledgments
I am incredibly grateful to Francisco Trivino Garcia, André Boscatto, Sumit Bose, Alexander Schwartz, José Ángel de Bustos Pérez and Josep Andreu Font for their outstanding teamwork in helping with the IAM devroom. Their collaborative efforts were key to the devroom’s success.