One of the obstacles to deploying open source SaaS is user management. When each application has its own user management, it becomes complicated to build a workable system for the business or team, to build reliable workflows across applications, and to ensure security for the business or team for data. Federated Core Platform provides two layers of authentication to deal with these problems.

LDAP

The foundation of Federated Core Platform authentication is LDAP. Every application connects to LDAP. If it doesn’t use LDAP, it doesn’t work on the platform. There are some applications for which the only account in LDAP is the administrator and the other users are created in the application itself. And example is Vaultwarden (password manager) because of the very sensitive nature of the information in Vaultwarden outside of access to Core services. You create the user in Vaultwarden as the administrative user but then, the account is connected to Core LDAP (if desired).

LDAP services can be exposed to network outside of Core to be used by other systems that use LDAP. And example would be a collection of Windows, MacOS, Linux desktop computers where you want users to log in to this machines using their Core credentials from LDAP. You could also use Core LDAP for other software systems where you want to use a central user repository for access control such as virtual desktop environments.

Core LDAP support users and groups. For example, you can delegate administrative access controls to certain users in Nextcloud using LDAP.

LDAP is managed through the Federated Core app “Panel”.

OIDC

Single-sign on is provided in Federated Core Platform by Authelia. This allows, for example, a customer to log in to one open source SaaS application in a browser and to automatically log in to other Core applications in the same browser. It also allows the user to log out of all applications, in the same way.

Federated Core applications default to OIDC authentication when the application supports it. Most do. Some applications only support OIDC with a premium upgrade (also supported), but a few don’t (yet) support OIDC or only support authentication using OIDC providers such as Google, etc. Federated plans to provide work arounds for all applications to use OIDC and have done this successfully for some (eg. cal.com).