From 56d287248039f56c7b6bba3860061cb2b4460337 Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Nov 17 2022 09:38:54 +0000
Subject: docs: add security section to idp


Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/doc/designs/external-idp/external-idp.md b/doc/designs/external-idp/external-idp.md
index 0b01769..fa5b300 100644
--- a/doc/designs/external-idp/external-idp.md
+++ b/doc/designs/external-idp/external-idp.md
@@ -497,3 +497,23 @@ and calls out to the `oidc_child` process to verify the user identity against an
 associated IdP.
 
 [idp-api]: idp-api.html
+
+## Security
+
+* communication between Kerberos client and KDC happens over FAST channel
+* communication between KDC and FreeIPA (`ipa-otpd`) happens over root-owned
+  UNIX domain socket
+* communication between `oidc_child` and IdP happens over `https`
+* no authentication tokens are exchanged between client, KDC and FreeIPA
+* IdP server URLs can only be set by administrator
+* IdP server URLs are not auto discovered, they need to be added manually
+* user authenticates to the external identity provider using the method required
+  by the provider, FreeIPA does not have any control over the selected method
+
+### Recommendations
+
+* administrators must thoroughly check all URLs they add when creating the IdP
+  server
+* users must check that the presented device authorization URL is correct and
+  that the authentication happens over secure channel (usually `https`) with
+  valid certificate