SSO adjacent Homelab ish question I'm not sure where to ask

Hi
I’m a watcher of the YouTube Homelab show of Tom’s.
Quite enjoy it

Stopping in here looking for ideas / sympathy with a big block of text (probably in the wrong place) and the hopes someone may have faced a similar challenge.

I have been solely managing my residential networks across multiple locations for a long while. There is a large shared estate in a remote location involved and other buildings locations. I have 2 to 7 lans at 3 locations frequented by mostly the same people but rarely at the same time.

For a small group of people the tech needs are high. Currently I have a great deal of L2 networking with some L3 a tiny bit L4 across multiple isp’s. Everyone is Tech field or adjacent in respective fields without a lot of “networking” overlap.

When everyone is in the same place at the same time it’s more like a medium sized lab than a residence.
The younger generation Data analysis.. Quant, electrical engineer, computer science has interest in spinning off their own segments now and I don’t mind passing the reigns.

Still I think I’m going to adopt some guard rails hence an interest in using something like Infisical for keys and secrets in containers. I get it’s overkill. I’d like to set them up with their own git tea / lab servers, I’ve read of PKI support? but am honestly unsure of support for self hosting that feature and across physical locations
It’s (infisical) what I’d consider a doable but larger Homelab project for myself, if I can learn from the experience of someone b4 me it would be appreciated.

Apologies for the blast of text.. I am also not opposed to using a Smallstep CA pi tutorial with some webhooks as outlined in the related Smallstep Ca with device attestation write up for distributed FIDO keys I have found. I liked the idea of handling site management that way with some Authentik as needed along with a certificate aware proxy. That is my preference of how I’d like to handle it. I have plenty of parked domain names suited for various resources and have played with the idea of multiple CAs

However
Recently I have decided it is time to unhappily begrudgingly accept Unify into my life. All my subnets and out buildings are filling up with Ubiquiti so much it’s time.

I would like to take advantage of some SSO to allow guests and visitors amounts of administrative network access / limited servers access and physical entry control access.

This is the sort of thing I did for a living for quite a long while and normally I’d say Entra ID, public key, Okta the usual suspects all 4.99 up per user per month as far as I can tell and I’m considering a dozen IDs used sporadically. To complicate matters no three people use the same current identity or verification methodology.

While Planning my new Unify deployment I was happy to see options for unlocking doors with cellphones and onboarding off boarding users but how can I host a solution for this type of access not for myself for the people who are there at any given time without incurring the identity provider costs for a dozen people who I want to enjoy and break and use what has been left there for them to do just that. It’s the identity management I can’t figure out. I’d tell myself Domain Controller / Azure directory / Cloud IAM.. but I don’t want to hear that

That was a bit to parse through. I had to reread it a few times, but this might be a bigger discussion. for now I am going to give an “at face value answer”. For the core it will be Authentik + Smallstep because everything will tie into those. But for the sake for being complete I listed the following so I can capture everything as a whole to visualize.

Identity Plane

  • Authentik (users, SSO, MFA, OIDC, LDAP, SAML)

Secret Management Plane

  • Infisical (app secrets & developer workflows)
  • Smallstep CA (cert issuance, machine identity)

Network/Access Plane

  • UniFi (APs, gateways, door access)
  • Authentik as OIDC provider for UniFi Identity

Dev/Service Plane

  • Gitea/GitLab
  • Containers, K8s, Proxmox clusters, etc.
1 Like

That is about the size of it high view thanks.

The OIDC provider for UniFi Identity is definitely the part that I’m having trouble with planning cost wise / self hosting

I’ve visited the CA attestation idea repeatedly and it always ends up real clunky with ACME and DNS challenges as I look into it. And I know of some issues that can arise
The access integration with Unify identity is tough for me to expose and the attestation Would need a path for a public exposed TLS SSL for renewal of a component in handshake as I’m figuring it

That’s why the Identity integration was so appealing Add in a couple features though and the cost of that per user over years makes it difficult to continue on premise structure justification other than to maintain a certain amount of off grid capabilities. It’s like close to the cost benefit straw and a real hang-up for me with the course I’m trying to lay out.

Not sure it applies to you but Bitwarden Secrets Manager might be useful for you. It’s got SDK, API, CLI, etc., and has a basic free tier.

Thanks for the suggestion.
I’ve considered a new feature new to me at least in GitHub actions that looks like it would accomplish a lot of what I’d like to do with the proposed secrets management project in conjunction with something like that. The user authentication against IDs for Identity decision at the end for me informs choices across the rest of the stack. That would work well for some things I’m sure will keep in mind.
I would sure like some way to grant access to physical access control, on site hardware services and APs supporting multi ssid /vlans to about a dozen people. who each may have guests to enlist. Using someone they are something they know something they have.
There are site monitoring gate control door control considerations. One location is literally on an Island to get a stick of gum from there to the midpoint location is close to a 3 hour trip across meatspace. From that closet point it’s 5 more hours to deliver said stick to previously mentioned shared remote location. Actual remote wilderness north of middle of nowhere large property remote location

High interest in Tom’s YouTube vid last night on Unify site fabric. That seems like it would largely be suited to task. Hope to see more on it.

Wish I could figure out something for hosting a small group of identities. I remember reading about Unify ID working with local host IDP and everything looked clean and supported both ways between ID and solutions I’m interested in for that which is great

but wow the cost for what I once did with policy smartcard and nfc readers across to BYOD in my scenario really adds up.

The 4.99 tier plans are justifiably designed not to support my use case directly. And it’s no small thing for me the per user per month per feature over years it really adds up significantly and for occasional sporadic use at that.

I am truly hung up on this.

Eager to see if this Site fabrics solution has the potential to fill in something I am conceptually missing