>>>>> "Russ" == Russ Allbery <r...@debian.org> writes:
Russ> Luca Filipozzi <lfili...@debian.org> writes:
>> On Fri, Apr 10, 2020 at 11:48:22AM -0400, Sam Hartman wrote:
>>> * Note that if you want to you can host accounts in gitlab and
>>> have keycloak act as an OIDC consumer for gitlab. So, if you
>>> decide you like Gitlab as an IDP but find you need Keycloak's
>>> transformations, you can have people login to Keycloak using
>>> their Gitlab accounts.
>> I reiterate my point that an SP being an IdP. I don't view using
>> Debian's Gitlab as an IdP to be a prudent move.
Russ> I don't understand this objection. The relying party and the
Russ> identity provider are certainly different components with
Russ> different functions, but that doesn't imply that they can't be
Russ> combined in the same software suite. There's quite a lot of
Russ> shared code between an SP and an IdP, so in some sense that's
Russ> easier than maintaining them as entirely separate projects.
I echo Russ's thoughts exactly.
Russ and I both have a long history in the SSO world, and I think that
if two people who have history say "we don't see the objection," it's
a good idea to explore your objection in significantly more detail than
simply asserting it.
--Sam
