[Freeipa-users] FreeIPA and Application Specific Passwords
Dmitri Pal
dpal at redhat.com
Thu Feb 19 16:32:45 UTC 2015
On 02/19/2015 11:29 AM, Martin Kosek wrote:
> On 02/19/2015 05:23 PM, Dmitri Pal wrote:
>> On 02/19/2015 05:06 AM, Jan Pazdziora wrote:
>>> On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:
>>>> Except where we don't want single sign on, and separate passwords are
>>>> advantageous or even required:
>>>>
>>>> - Web logins
>>> Could you elaborate on the use cases when you'd want your users to log
>>> in using their passwords on a Web login, instead of using SSO, be it
>>> Kerberos or SAML? Is that purely the application not supporting it
>>> or are there some other reasons (you say "we don't want single sign
>>> on" which sounds like a political or compliance issue, not technical
>>> one).
>>>
>> IMO the case is:
>> I have a phone and a tablet and a laptop.
>> I do not want to use one password for all three.
>> On the phone and tablet people save their passwords so I do not want to have
>> same password cached on all devices. I want to have a password per device.
>>
>> IMO the way to go is certs rather than passwords.
> Certs would certainly help in this case. However, the UX would need to be
> really good in order to beat saved password in GMail style, IMO.
I imagine Ipsilon based SSO when Ipsilon can make a decision which
assertions to issue depending on the cert you have.
>
>> We are not there yet but with upcoming changes we will get much closer.
>>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list