Supporting more identity providers on Ubuntu with the new Authd OIDC broker

Today we are announcing the general availability of the new generic OpenID Connect (OIDC) broker for Authd. With enterprises needing to centralise access management controls, the ability to choose your own identity solution is paramount. This new broker snap is our answer to that need, allowing Ubuntu Desktop and Server to integrate with any identity provider that supports a vanilla OIDC flow. This release empowers both our community members with self-hosted solutions like Keycloak and our enterprise clients leveraging platforms such as Okta, allowing a unified authentication experience across the entire infrastructure and application ecosystem.

What is Authd?

Authd is a modern authentication daemon for Ubuntu that enables direct integration with cloud-based identity providers. This approach marks a significant shift away from traditional, complex infrastructure components like FreeIPA or dedicated Vault instances, which often come with considerable maintenance overhead. With Authd, Ubuntu endpoints can communicate with your chosen identity provider directly and in a securely designed way, dramatically simplifying management, reducing operational costs, and centralizing all authentication event visibility for easier auditing and monitoring.

Authd’s modular architecture is the key to its flexibility. It consists of a privileged daemon that exposes a standardized API over DBus, and individual broker snaps that facilitate integration with various cloud services. This design leverages the OAuth 2.0 Device Authorisation Grant (also known as the Device Flow), an open standard that enhances security. It also provides a consistent and intuitive user authentication experience, whether a user is logging into a graphical session on Ubuntu Desktop or accessing a command-line interface via SSH on a remote server.

What’s new: agnostic identity provider integration with OIDC

The new generic OIDC broker is a significant expansion of the Authd ecosystem. While we have previously offered dedicated brokers for Microsoft Entra ID and Google IAM, this new broker opens the door to a vast landscape of identity providers.This includes community members using self-hosted solutions like Keycloak, and enterprises utilizing standard-compliant OIDC platforms such as Okta, Auth0, or Ping for their identity management. Ultimately enterprises will be able to use a single, modern identity solution across their server and application landscape.

Authd’s design prioritizes flexibility in identity management for Ubuntu, aiming for broad compatibility with various identity providers. By adhering to the OIDC standard, Authd adapts to evolving identity landscapes. The OIDC broker snap contributes to this by offering a standard aligned, configurable interface for OIDC-compliant platforms, enhancing infrastructure compatibility.

Advanced user and device management

Alongside the flexibility of the OIDC broker, we are also ensuring that our users have the powerful management features they need. The new broker snap supports the same advanced functionalities as our other brokers, providing granular control over access and permissions:

• Allowlist: Restrict machine access to a specified list of users who are allowed to log in after a successful authentication with the identity provider. This provides an essential layer of security and control, particularly for shared or special-purpose machines where only specific personnel should have access.
• Privilege management: Administrators can configure custom claims on their identity providers to assign users to specific Linux groups, such as sudo. This enables centralized permission management directly from the identity provider, simplifying user administration on remote machines and providing a clear, auditable trail for compliance purposes.
• Device ownership: Define rules for device ownership based on login events. For example, the first user to successfully authenticate on a new laptop can be automatically designated as its owner, streamlining the provisioning process for IT departments managing a remote workforce.

Get the new broker and additional resources

The new generic OIDC Authd broker is available today on Snapcraft. We encourage you to explore the possibilities it unlocks for your Ubuntu deployments.

• Get the new OIDC Authd broker on Snapcraft
• Read the Authd documentation
• View the project on Github
• Learn how to deploy Authd at scale with Landscape on Desktop and Server

We are committed to expanding the capabilities of Authd and supporting the diverse needs of the Ubuntu community and our enterprise customers. This release reaffirms our dedication to open standards and enterprise-grade security for everyone. We welcome your feedback and contributions to the project.