[CentOS-devel] Plans for SSO across centos.org subdomains?

On 16/08/16 11:49, Karanbir Singh wrote:
> On 16/08/16 10:30, Fabian Arrotin wrote:
>> For existing resources within centos.org that we deployed before ACO was
>> available, those were configured to use their built-in users DB. So we
>> can invest time to see which are the possibilities to be tied to ACO but
>> it needs at least some glue, like for example token/oauth. Actually, ACO
>> on its own can't do that (nor is "ldap" compatible) so we need to setup
>> something in between (like what's done for the Fedora project) to do
>> that, like either ipsilon (https://ipsilon-project.org/) or keycloak
>> (http://www.keycloak.org/)
> 
> prolly worth looking at keycloak once

don't mind doing it, but last time I checked, it was targeting existing
backends like LDAP or Active Directory so not FAS (which is our backend
for ACO)

> 
>> But the remaining issue would then be to have *everybody* signing
>> through ACO to get an account that will match with each deployed
>> applications (like MantisBT for bugs.centos.org and so on). So you can
>> imagine the impact
> 
> Would we not be able to rehash the user accounts from bugs.centos.org
> over to a.c.o ? and send them all a reminder to set a new password ?
> 

Once existing users have signed to ACO , we'll probably be able to do a
matching table and see how MantisBT allow external authentication. But
the real problem is that all existing users will have to then signup
manually on ACO (we can't "bulk register" users because also of email
validation step that is mandatory)

-- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20160816/dd85eae5/attachment-0004.sig>