[Freeipa-users] FreeIPA and Application Specific Passwords
Simo Sorce
simo at redhat.com
Fri Feb 20 00:41:55 UTC 2015
On Thu, 2015-02-19 at 11:32 -0500, Dmitri Pal wrote:
> On 02/19/2015 11:29 AM, Martin Kosek wrote:
> > On 02/19/2015 05:23 PM, Dmitri Pal wrote:
> >> On 02/19/2015 05:06 AM, Jan Pazdziora wrote:
> >>> On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:
> >>>> Except where we don't want single sign on, and separate passwords are
> >>>> advantageous or even required:
> >>>>
> >>>> - Web logins
> >>> Could you elaborate on the use cases when you'd want your users to log
> >>> in using their passwords on a Web login, instead of using SSO, be it
> >>> Kerberos or SAML? Is that purely the application not supporting it
> >>> or are there some other reasons (you say "we don't want single sign
> >>> on" which sounds like a political or compliance issue, not technical
> >>> one).
> >>>
> >> IMO the case is:
> >> I have a phone and a tablet and a laptop.
> >> I do not want to use one password for all three.
> >> On the phone and tablet people save their passwords so I do not want to have
> >> same password cached on all devices. I want to have a password per device.
> >>
> >> IMO the way to go is certs rather than passwords.
> > Certs would certainly help in this case. However, the UX would need to be
> > really good in order to beat saved password in GMail style, IMO.
>
> I imagine Ipsilon based SSO when Ipsilon can make a decision which
> assertions to issue depending on the cert you have.
A lot of apps can't do certs.
I mentioned to someone (Nathan, did I talk with you ?) a few weeks ago
during DevConf.cz an idea I have to actually build application passwords
(and more) support.
I will try to come up with a design page as soon as I get a moment to
put down my tougths coherently.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list