[katello-devel] Design of SSO - screencast

[Ohad Levy]

| > My main concern is that this would not be a drop in replacement for
| > current
| > foreman users, and we would need to maintain multiple SSO backends
| > (e.g.
| > what foreman currently has with Apache) or plain authentication (
| > e.g. it
| > wont answer get user details ).
| I'm not sure whether I get it right but this SSO application was not
| meant to
| be any replacement. Users would not be forced to use it at all. It
| should
| allow users only one thing that it's named after - they just sign in
| once and
| they can use other systems immediately. The only thing that's needed
| from
| Foreman point of view is adding support for custom OpenID provider.
| 
| It's 39 LOC including whitelines and comments. The biggest benefit
| would be
| that Katello and Foreman (and maybe other systems) would not have to
| implement
| various authentication methods separately. It means having kerberos,
| LDAP and
| e.g. OpenID authentication on one place and reused by all
| applications. Hence
| you could remove some SSO backends you may already have in Foreman.
| 
| Does it make sense? What should this SSO solution fulfill to meet
| Foreman
| requirements?


The issue here, is that you would need to configure ldap twice, once for SSO app to authenticate, and the other time for foreman to query user/group information.

this means you store the pw twice, and also means that i cant get rid of the ldap related code in foreman.

PS. if you tend to send this mail to the public (and get feedback from foreman community), please use the foreman developers mailing list hosted at google lists.

Ohad