Identity management, single sign-on and certificates with FreeIPA [EuroPython 2017 - Talk - 2017-07-13 - PythonAnywhere Room] [Rimini, Italy] Authentication, authorization and public key infrastructure are complicated and hard to get right, yet crucial for every infrastructure. Manifold user databases in each application as well as ad-hoc self-signed TLS/SSL certificates don't scale and are hard to administrate. Users don't want to remember a password for each service, admins prefer a centralized PKI, and developers struggle with correct handling of password. FreeIPA is an Open Source, Python-based identity management solution. It is much more than a simple user database. FreeIPA combines multiple mature products under an easy-to-use installer, command line and web interface: 389-DS LDAP server, MIT Kerberos, Dogtag PKI certificate system, BIND DNS with DNSSEC, SSSD, certmonger and more. It provides identities for users, services and machines with single sign-on (optionally 2FA) and role or host based ACL. Keycloak and Ipsilon IdP can be integrated to offer OpenIDC or SAML. Mutual trust with Active Directory is possible, too. Installation of a FreeIPA server and integration with a WSGI application is much simpler than you might think. At the end of my talk you will know how to deploy a FreeIPA server with just one command, how to add replicas for redundancy, how to authenticate users and access user data like name, email and group membership without adding a single line of Kerberos or LDAP code to your application, and how to issue TLS certificates with auto-renewal and OCSP