>>>>> "Xavier" == Xavier <y...@debian.org> writes:
Xavier> Le 07/04/2020 à 17:20, Paul Wise a écrit :
>> On Mon, Apr 6, 2020 at 3:58 PM Bastian Blank wrote:
>>
>>> ## Highlevel plan
>>
>> I'd like to learn a bit about what the effects for Debian account
>> holders and service admins will be.
>>
>>> - Salsa becomes primary source of user info and authentication
>>> for secondary services via OpenID Connect (OAuth2), for both DDs
>>> and non-DDs, replacing sso.debian.org.
>>
>> It sounds like the answer is no, but does Salsa, Keycloak or
>> LemonLDAP::NG support TLS client certs?
Xavier> LLNG and KeyCloack support TLS authentication, 2FA,... See
Xavier>
https://lemonldap-ng.org/documentation/latest/start#authentication_users_and_password_databases
Xavier> for a complete list of LLNG supported authentication
Xavier> mechanisms
I authenticate using TLS to the SSO server.
But then I use http redirects or JSON tokens to authenticate to the
protected app, right?
llng does not end up being a short-lived CA like the current
sso.debian.org
