[katello-devel] Design of SSO
Dmitri Dolguikh
dmitri at redhat.com
Mon Mar 4 14:19:42 UTC 2013
Why not use real OpenID server/protocol for user authentication?
RP side:
- displays user identity dialog (and performs html-based OP discovery,
see [2])
- when using our SSO we can use pre-configured user id prefix
(http://redhat.com/sso/user in Marek'e example)
- creates and handles the cookie (that stores user identity)
OP side:
- performs authentication. Automatically assumes that user trusts
Katello and Foreman (requires some amount of modification on the
provider side).
This would give us better control over the cookie (OpenID provider is
not involved). We also would be using a mostly normal OpenID provider.
The somewhat inconvenient bit is in userid and password being entered on
separate screens.
Thoughts?
-d
[2] http://openid.net/specs/openid-authentication-2_0.html#html_disco
On 01/03/13 01:55 PM, Marek Hulan wrote:
> Hi all
>
> As a part of US I work on this iteration I created a design wiki page [1] for
> SSO discussed recently. Please take a look and ping me if you have any
> comments or questions.
>
> [1] https://fedorahosted.org/katello/wiki/SingleSignOn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/katello-devel/attachments/20130304/3f074b0f/attachment.htm>
More information about the katello-devel
mailing list