On 24/11/2015 05:07, Sean McArthur wrote:
> +dev-fxacct
>
> We are working on figuring this out for the company. It's looking like
> the solution for sites that require employee accounts can use Google
> Sign In, and require it to use okta.
Indeed, IIUC Danny has put together a working demo of this using
Google's OpenID Connect login flow, which bridges to Okta and thus auths
against LDAP for @mozilla.com addresses.
We'll see about putting together a little how-to for other folks to try
out, I hear it was pretty painless to set up.
Cheers,
Ryan
> On Mon, Nov 23, 2015, 9:49 AM Peter Bengtsson <[email protected]
> <mailto:[email protected]>> wrote:
>
> For the record, we wouldn't interface with Workday at all. Only
> ldap.mozilla.org <http://ldap.mozilla.org>.
> (How ldap.mozilla.org <http://ldap.mozilla.org> gets populated is
> out of context).
>
> On Mon, Nov 23, 2015 at 12:18 PM, Schalk Neethling
> <[email protected] <mailto:[email protected]>>
> wrote:
>
> > As long as it does not do a 'if in workday' pass or else you shall not
> > pass :)
> >
> > Geo contractors are not in Workday.
> >
> > On Mon, Nov 23, 2015 at 6:47 PM, Peter Bengtsson
> <[email protected] <mailto:[email protected]>>
> > wrote:
> >
> >> Suppose you use Persona to auth people to your site. Given that
> someone
> >> manages to log in with a @mozilla.com <http://mozilla.com> (or
> foundation or mozilla-jp)
> >> they've
> >> proven they're active staff.
> >> If they leave the company, most likely their access to your site,
> under a
> >> staff email address, should cease. E.g. logging in to Air Mozilla
> to see
> >> staff live events. Persona took care of that as each new session got
> >> checked against the provider (e.g. mozilla.com <http://mozilla.com>).
> >>
> >> If we switch to FxA we lose this automatic check that Persona
> used to do.
> >> You OAuth sign in a user and set her cookie to last X weeks and
> she'll be
> >> signed in for X weeks. How do you kill that session cookie if she no
> >> longer
> >> has ability to check check email to her @mozilla.com
> <http://mozilla.com> address?
> >>
> >> Is there already an established solution for this?
> >>
> >> If not, I'd be up for writing a central solution for talking to our
> >> ldap.mozilla.org <http://ldap.mozilla.org> (which is a derivative
> of Workday).
> >> We can either stand up a service that your server can query or we can
> >> stand
> >> up a service that can webhook-post to you.
> >>
> >> What do you think?
> >>
> >>
> >> --
> >> Peter Bengtsson
> >> Mozilla Web Engineering
> >> _______________________________________________
> >> dev-webdev mailing list
> >> [email protected] <mailto:[email protected]>
> >> https://lists.mozilla.org/listinfo/dev-webdev
> >>
> >
> >
> >
> > --
> > Kind Regards,
> > Schalk Neethling
> > Senior Front-End Engineer
> > Mozilla ::-::
> >
>
>
>
> --
> Peter Bengtsson
> Mozilla Web Engineering
> _______________________________________________
> dev-webdev mailing list
> [email protected] <mailto:[email protected]>
> https://lists.mozilla.org/listinfo/dev-webdev
>
>
>
> _______________________________________________
> Dev-fxacct mailing list
> [email protected]
> https://mail.mozilla.org/listinfo/dev-fxacct
>
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
