I want to design my private cloud with multiple services to make my live eassier. For better usability, I want to be able to login with the same credentials. For that I looked at ldap and openID especially openldap and freeipa. But with FIDO2 coming up and making loggin in way eassier and safer, I wonder if there is a way to use FIDO2 in combination with ldap or openID so users can login with their FIDO2 tokens while having the same credentials for all services.
So in federated authentication there are three parties. Federated Client(The website about Cats), Federated Provider(your mega identity provider) and Authentication Service(the thing that authenticates).
In terms of OIDC, the OIDC Server will redirect to the auth service with a challenge. The auth service will then fetch request info via private(admin) api from the OIDC service, and it then will perform all necessary check, authenticate user and then ask if user wants to allow KittyCats.xyz to use user account to authenticate. If user agrees, the Auth Server will then notify the OIDC Server hat user gave consent, and in response the OIDC server will return redirect_url. The AuthServer will then redirect user to the specified redirect URL.
So in terms of FIDO this is quiet simple. You make a basic FIDO authentication service, then add OIDC logic on top of it and voila, you have FIDO backed OIDC federated authentication.
If you want to play around I highly suggest playing around with ORY/HYDRA. They have a full demo with a mini Auth Service and a wonderful tutorial to get you started: https://www.ory.sh/hydra/docs/5min-tutorial