Re: Sandstorm authentication

To: Andy Simpkins <rattusrattus@debian.org>, paulproteus@debian.org
Cc: debconf-video@lists.debian.org
Subject: Re: Sandstorm authentication
From: Laura Arjona Reina <larjona@debian.org>
Date: Fri, 26 Jul 2019 22:19:28 +0200
Message-id: <[🔎] 7ddfac1b-d604-4c4a-4443-fe0e3eac95cc@debian.org>
In-reply-to: <[🔎] 3ed20884-409a-60cf-fcd8-afabb6339f88@debian.org>
References: <[🔎] 3ed20884-409a-60cf-fcd8-afabb6339f88@debian.org>

Hi Andy

El 26/7/19 a las 21:15, Andy Simpkins escribió:
> Hi there
> 
> I believe that I am sending this email to the correct people [0]

I think so :-)

> 
> The DebconfVideo team use storm quite a bit for team management,
> documentation etc.  

Great!

Presently authentication is only available for users
> with accounts on systems outside of Debian's control (i.e. GitHub or
> Google). I consider this unacceptable from a privacy point of view, and
> so use the tedious method of regular email token exchange for the
> purpose of login.

I'm not sure about the technical details, but I only use the email
authenticated method and I think a cookie or some browser setting can be
set so you don't need to ask for the token every time.

In any case I understand that can be tedious experience.

> 
> I understand that sandstorm 'can' use our LDAP for the purposes of user
> authentication thus avoiding users being tracked outside of Debian
> infrastructure [1].
> 
> Is this something that you would consider enabling?  I would hope this
> would be simpler than implementing Debian SSO which may be more
> complicated but perhaps more desirable.
> 

With my admin privileges in Sandstorm, in its own admin interface, I can
see the following options:

https://storm.debian.net/admin/organization

Sandstorm allows you to define an organization. You can automatically
apply some settings to all members of your organization. Users within
the organization will automatically be able to log in, install apps, and
create grains.

Organization membership

[ ] Users authenticated via email address
Domain: ____________
Users with an email address at this domain will be members of this
server's organization.

[ ] Users authenticated via Google Apps for Work
Domain: __________
Users with a Google Apps for Work account under this domain will be
members of this server's organization.

[ ] Users authenticated via LDAP
Note: disabled because LDAP login is not configured.

[ ] Users authenticated via SAML
Note: disabled because SAML login is not configured.

>From the above, I've just ticked the "[X] Users authenticated via email
address" and added "debian.org" as domain.

Can you try if it makes a difference in your experience of login in?

and

Would that be enough or would you need people with no @debian.org
address to access too?

About LDAP, I guess Asheesh knows better about that than me (both in the
Sandstorm and in the Debian side) so I didn't dare yet to go and try to
configure the service in Sandstorm (and if it needs some setting in the
machine, I have no permissions there, I just tweak the web interace),
but for the case Asheesh cannot find the time to look at this, I will
try to read the documentation and figure out what can I do (but not
before debconf19 ends, probably...).

Cheers

-- 
Laura Arjona Reina
https://wiki.debian.org/LauraArjona

Reply to:

Follow-Ups:
- Re: Sandstorm authentication
  - From: Andy Simpkins <rattusrattus@debian.org>

References:
- Sandstorm authentication
  - From: Andy Simpkins <rattusrattus@debian.org>

Prev by Date: Sandstorm authentication
Next by Date: Re: Sandstorm authentication
Previous by thread: Sandstorm authentication
Next by thread: Re: Sandstorm authentication
Index(es):
- Date
- Thread