As a user I want to be able to run Linux systems in the public cloud. I want to use IPA as system that manages my SSH keys. My SSH keys are actually derived from my user cert and it is really required that I use SSH with the cert to access systems in the cloud. Kerberos is not allowed.
My cloud service provider setup a service for me. It is an SP and my enterprise IdP (most likely ADFS) will authenticate me and issue a SAML assertion. This service will consume the assertion and will drive my rights and privileges in the cloud. It will be a front end to FreeIPA. When I log into this service with SAML my account will be created in IPA. I would need to log into IPA console to set my SSH key. To log into IPA UI my authentication to my IdP should be trusted. I should not be required to have a password in IPA at all.

Current existing solution can either set a random password each time the user logs into the service portal and then do post into the IPA login form but this would not scale and can have issues with replication. Another approach would be to use OTP which would work better would require service keep password and key in its DB. Not optimal too. Granting the proxy service the right to do user impersonation using S4U will be very risky so this ticket asks for a solution to front end IPA in the most secure way and be able to log user into IPA automatically without requiring addition authentication. Effectively it asks to respect an external authentication in IPA UI (and potentially CLI).