[Freeipa-users] FreeIPA and Application Specific Passwords
Martin Kosek
mkosek at redhat.com
Thu Feb 19 16:29:13 UTC 2015
On 02/19/2015 05:23 PM, Dmitri Pal wrote:
> On 02/19/2015 05:06 AM, Jan Pazdziora wrote:
>> On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:
>>> Except where we don't want single sign on, and separate passwords are
>>> advantageous or even required:
>>>
>>> - Web logins
>> Could you elaborate on the use cases when you'd want your users to log
>> in using their passwords on a Web login, instead of using SSO, be it
>> Kerberos or SAML? Is that purely the application not supporting it
>> or are there some other reasons (you say "we don't want single sign
>> on" which sounds like a political or compliance issue, not technical
>> one).
>>
> IMO the case is:
> I have a phone and a tablet and a laptop.
> I do not want to use one password for all three.
> On the phone and tablet people save their passwords so I do not want to have
> same password cached on all devices. I want to have a password per device.
>
> IMO the way to go is certs rather than passwords.
Certs would certainly help in this case. However, the UX would need to be
really good in order to beat saved password in GMail style, IMO.
> We are not there yet but with upcoming changes we will get much closer.
>
More information about the Freeipa-users
mailing list