OpenHIE migrating from Crowd to LDAP

burke · April 16, 2021, 6:58pm

OpenHIE is looking to migrate from Crowd to using LDAP.

I realize OpenMRS is still using Crowd to connect our Atlassian tools to LDAP, but are there any pearls of wisdom, tips, or traps to avoid that you recall from moving OpenMRS to LDAP – e.g., any things you wish you had considered beforehand or done differently?

Knowing OpenMRS is going to have to migrate to Atlassian’s Cloud within the next year or two, do you know if there’s a free way to integrate Atlassian Cloud apps with LDAP? The SAML options for Atlassian Access look like they’re commercial ($ per user) options or Google (which might run into quota limits or introduce management headaches).

Cheers,

-Burke

/cc @jthomas

cintiadr · April 18, 2021, 11:30pm

Hi there!

Honestly I haven’t even started going that rabbit hole.

Initially, I hoped that we could use Atlassian as our IDP for everything else, but it’s not a service they are interested in. If I can delegate authorization to a 3rd party service, I would. Ideally, I don’t even want to keep LDAP by myself, but rather get someone to do that for me.

I have no solution of yet. I tried Auth0 a couple of years ago (as they supposedly have an open source pricing), and it was bullshit. They only consider open source if we forbid anyone from using our software commercially, which leads me to write a strongly worded email every year as they ping me for updates.

I honestly find LDAP way too complex, in general. I think I’d prefer to have someone else do the SSO part, or I’d host it.

cintiadr · April 18, 2021, 11:31pm

I’d say to please do not implement your own authentication/authorisation app, for sure. It’s way too troublesome

jthomas · April 26, 2021, 4:00pm

@cintiadr thank you for your honest feedback. It sounds like this is a road not traveled easily so we’ll have to take a really hard look at OpenHIE’s strategy and next steps towards improving our infrastructure.

burke · April 29, 2021, 3:38am

It does look like Atlassian Access can be configured to work with Keycloak. Keycloak is one of the most popular open source identity management solutions; it’s just not one of the options officially supported by Atlassian.

Maybe we could host Keycloak for a future OpenMRS ID that could work with Atlassian tools and other services? The Keycloak community uses Discourse (which seems promising), but I also see people struggling to configure Keycloak with Discourse.

permissionerror · May 9, 2021, 9:29pm

Hi @burke,

I’ve done some research into this a little while ago. The primary issue with Atlassian Access and using SAML for it is that they do not allow SSO just for anyone, only people with email addresses on your verified domain (for us, it’d be only available for folks on an @ openmrs.org email), and as far as I’m aware there is no way to bypass that. This limit is imposed upon all SAML providers.

Quote from Atlassian Access SAML Knowledge Base article:

Note that SSO will only apply to user accounts from your verified domains.

r0bby · June 5, 2021, 1:48am

Don’t do it – I learned the bare minimum I had to in order to work with OpenMRS ID.

Also, OpenMRS ID needs to go away yesterday. It’s only a matter of time until someone exploits one of one the many outstanding vulnerabilities that are present.