Le 07/04/2020 à 13:50, Enrico Zini a écrit : > On Tue, Apr 07, 2020 at 12:20:40PM +0200, Xavier wrote: > >> Resume of proposition: >> * all users managed by SSO; self-registration authorized with "-guest" >> in a distinct LDAP branch >> * GitLab becomes a slave of SSO using SAML (or OIDC) >> * other applications are protected by handlers/GateKeepers. If LLNG is >> chosen, just to add few lines in Nginx configuration >> * new applications can be protected using handlers, SAML, CAS, OIDC,... >> >> <as usual, sorry for my poor English> > > I greatly appreciate yours and Luca's and Michael's proposals, and > offers of help.
Thanks ! > I would like to avoid stalling progress on sso on things like analysis > paralysis, or like sorting out deployment details, as happened in the > last years. > > I'll ask you the same question I asked Luca: is there something in the > Salsa proposal that would prevent further experimentation with LLNG and > eventually possibly integrating it into the ecosystem, or migrating to > it? No, just to migrate accounts > If not, then we could start with that, which requires no deployment of > new software, and on which we can make progress immediately, and buy > time for everyone to work out the perfect solution, meanwhile moving on > from an unsustainable status quo. > > As a side effect of an interim on Salsa, services can begin to migrate > from client certificates to OIDC, switching to a mode widely used, > usable, and flexible standard, which I wouldn't be surprised if it would > make things easier when moving to something else later on. > > Enrico Little addon: LLNG has a GPG auth plugin, this can be useful to self-reinitialize lost passwords or unlock accounts if password policy blocks it and/or register new DDs
