FreeIPA

FreeIPA is an “integrated security information management” stack that centralizes identities, policies, certificates, and DNS for POSIX-style domains. It ships a Web UI and CLI, stores identity data in 389-DS, issues Kerberos tickets from an MIT KDC, manages host/service certificates via Dogtag, and can establish cross-forest trusts with Microsoft Active Directory.

Key Capabilities

  • Kerberos/LDAP SSO for Linux estates: Kerberos authentication with LDAP directory services; SSSD-based clients consume identities/attributes and enable single sign-on to enrolled hosts and services.

  • Active Directory trusts: One-way and cross-forest trust models to allow AD users to access resources in a FreeIPA realm.

  • Integrated PKI & certificate lifecycle: Built-in Dogtag CA with RA front end; supports certificate requests/renewal, sub-CAs, and CA certificate renewal workflows.

  • Integrated DNS: Manage DNS zones/records from the same admin surface; tight coupling with host/service enrollment and dynamic updates.

Limitations

  • No native SAML/OIDC IdP: FreeIPA does not issue SAML or OIDC tokens. Federation to web/SaaS apps is typically added via an external IdP (e.g., Keycloak) integrated with FreeIPA.

  • Linux/POSIX focus: Designed primarily for Linux/UNIX domain SSO (Kerberos/LDAP). Windows and SaaS federation scenarios depend on AD trusts and/or external IdPs/gateways.

  • Self-hosted operations: Customers manage multi-master topology, backups, CA renewal, DNS zones, and upgrades—there’s no vendor-hosted SaaS edition.

  • Web SSO complexity: Kerberos-to-web SSO (Apache modules, PAM/SSSD checks) requires web-tier configuration and may not suit public internet apps without a federation layer.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales