Luca Filipozzi <lfili...@debian.org> writes: > On Fri, Apr 10, 2020 at 11:48:22AM -0400, Sam Hartman wrote:
>> * Note that if you want to you can host accounts in gitlab and have >> keycloak act as an OIDC consumer for gitlab. So, if you decide you >> like Gitlab as an IDP but find you need Keycloak's transformations, >> you can have people login to Keycloak using their Gitlab accounts. > I reiterate my point that an SP being an IdP. I don't view using > Debian's Gitlab as an IdP to be a prudent move. I don't understand this objection. The relying party and the identity provider are certainly different components with different functions, but that doesn't imply that they can't be combined in the same software suite. There's quite a lot of shared code between an SP and an IdP, so in some sense that's easier than maintaining them as entirely separate projects. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
