Supported Features

This is a list of supported features and standards within Kanidm.

Authorisation

• Role Based Access Control
• NIST Digital Identity Guidelines

Cryptography

• Password Storage
  • RFC9106 - Argon2ID
  • TCG TPM Credential Binding (HMAC)
• RFC6238 Time Based One Time Password
• RFC7519 JSON Web Token
• RFC7516 JSON Web Encryption

Data Import

• RFC4533 LDAP Content Synchronisation
  • RFC4519 LDAP Schema
  • FreeIPA User Schema
• RFC7644 SCIM Bulk Data Import

Database

• ACID Compliance

LDAP

• RFC4511 LDAP (read-only)
  • bind (simple)
  • search
  • filter
  • whoami
  • compare
• LDAPS (LDAP over TLS)

OAuth2 / OpenID Connect

• RFC6749 OAuth 2.0 Authorisation Framework
  • Authorisation Code Grant
  • Client Credentials Grant
  • RBAC scope mapping
• RFC6819 OAauth 2.0 Threat Model and Security Considerations
• RFC7009 Token Revocation
• RFC7662 OAuth 2.0 Token Introspection
• RFC7636 Proof Key for Code Exchange (SHA256 Only)
• RFC8414 OAuth 2.0 Authorisation Server Metadata
• RFC9068 OAuth 2.0 JWT Access Tokens
• OpenID Connect Core 1.0
  • RBAC claim and scope mapping
  • PII scope claim requests
  • ES256 id_token signatures
• OpenID Connect Discovery 1.0

RADIUS

• MSCHAPv2
• EAP TLS (client certificate authentication)

Replication

• Strong Eventual Consistency

Unix Client

• PAM/nsswitch client authentication

Webauthn

• Webauthn (level 3)
• FIDO MDS Attestation