Re: Salsa as authentication provider for Debian
Le 07/04/2020 à 13:50, Enrico Zini a écrit :
> On Tue, Apr 07, 2020 at 12:20:40PM +0200, Xavier wrote:
>
>> Resume of proposition:
>> * all users managed by SSO; self-registration authorized with "-guest"
>> in a distinct LDAP branch
>> * GitLab becomes a slave of SSO using SAML (or OIDC)
>> * other applications are protected by handlers/GateKeepers. If LLNG is
>> chosen, just to add few lines in Nginx configuration
>> * new applications can be protected using handlers, SAML, CAS, OIDC,...
>>
>> <as usual, sorry for my poor English>
>
> I greatly appreciate yours and Luca's and Michael's proposals, and
> offers of help.
Thanks !
> I would like to avoid stalling progress on sso on things like analysis
> paralysis, or like sorting out deployment details, as happened in the
> last years.
>
> I'll ask you the same question I asked Luca: is there something in the
> Salsa proposal that would prevent further experimentation with LLNG and
> eventually possibly integrating it into the ecosystem, or migrating to
> it?
No, just to migrate accounts
> If not, then we could start with that, which requires no deployment of
> new software, and on which we can make progress immediately, and buy
> time for everyone to work out the perfect solution, meanwhile moving on
> from an unsustainable status quo.
>
> As a side effect of an interim on Salsa, services can begin to migrate
> from client certificates to OIDC, switching to a mode widely used,
> usable, and flexible standard, which I wouldn't be surprised if it would
> make things easier when moving to something else later on.
>
> Enrico
Little addon: LLNG has a GPG auth plugin, this can be useful to
self-reinitialize lost passwords or unlock accounts if password policy
blocks it and/or register new DDs
Reply to: