[CentOS-devel] Plans for SSO across centos.org subdomains?

Tue Aug 16 09:30:33 UTC 2016
Fabian Arrotin <arrfab at centos.org>

On 16/08/16 11:20, Laurentiu Pancescu wrote:
> Are there any plans for enabling single-sign-on between the different
> centos.org subdomains?  Perhaps at least between accounts and bugs, if
> not also cbs or others?
> 
> I remember seeing how SSO can work seamlessly in a big company - the
> Windows login and a client cert enabled access to pretty much
> everything, from web apps like HR, to different servers, even unlocking
> the LAN port you were connected to.  This is highly practical when it
> works.  Then again, I was in R&D (not in IT, which had to configure the
> whole thing). :)
> 
> Regards,
> Laurențiu

I guess you mean using ACO (https://accounts.centos.org) as the central
users DB ?
Actually CBS is using certificates issued from ACO directly, so it's
already integrated (and people are granted/removed rights automatically
at the cbs/koji level depending on their group membership in ACO)

For existing resources within centos.org that we deployed before ACO was
available, those were configured to use their built-in users DB. So we
can invest time to see which are the possibilities to be tied to ACO but
it needs at least some glue, like for example token/oauth. Actually, ACO
on its own can't do that (nor is "ldap" compatible) so we need to setup
something in between (like what's done for the Fedora project) to do
that, like either ipsilon (https://ipsilon-project.org/) or keycloak
(http://www.keycloak.org/)

But the remaining issue would then be to have *everybody* signing
through ACO to get an account that will match with each deployed
applications (like MantisBT for bugs.centos.org and so on). So you can
imagine the impact

-- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20160816/75af53c4/attachment-0008.sig>