There's a demo of the current progress here: https://123done-dcoates.dev.lcip.org with code here: https://github.com/dannycoates/123done/tree/google-auth
On Mon, Nov 23, 2015 at 1:59 PM, Ryan Kelly <[email protected]> wrote: > On 24/11/2015 05:07, Sean McArthur wrote: >> +dev-fxacct >> >> We are working on figuring this out for the company. It's looking like >> the solution for sites that require employee accounts can use Google >> Sign In, and require it to use okta. > > Indeed, IIUC Danny has put together a working demo of this using > Google's OpenID Connect login flow, which bridges to Okta and thus auths > against LDAP for @mozilla.com addresses. > > We'll see about putting together a little how-to for other folks to try > out, I hear it was pretty painless to set up. > > > Cheers, > > Ryan > > >> On Mon, Nov 23, 2015, 9:49 AM Peter Bengtsson <[email protected] >> <mailto:[email protected]>> wrote: >> >> For the record, we wouldn't interface with Workday at all. Only >> ldap.mozilla.org <http://ldap.mozilla.org>. >> (How ldap.mozilla.org <http://ldap.mozilla.org> gets populated is >> out of context). >> >> On Mon, Nov 23, 2015 at 12:18 PM, Schalk Neethling >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> > As long as it does not do a 'if in workday' pass or else you shall not >> > pass :) >> > >> > Geo contractors are not in Workday. >> > >> > On Mon, Nov 23, 2015 at 6:47 PM, Peter Bengtsson >> <[email protected] <mailto:[email protected]>> >> > wrote: >> > >> >> Suppose you use Persona to auth people to your site. Given that >> someone >> >> manages to log in with a @mozilla.com <http://mozilla.com> (or >> foundation or mozilla-jp) >> >> they've >> >> proven they're active staff. >> >> If they leave the company, most likely their access to your site, >> under a >> >> staff email address, should cease. E.g. logging in to Air Mozilla >> to see >> >> staff live events. Persona took care of that as each new session got >> >> checked against the provider (e.g. mozilla.com <http://mozilla.com>). >> >> >> >> If we switch to FxA we lose this automatic check that Persona >> used to do. >> >> You OAuth sign in a user and set her cookie to last X weeks and >> she'll be >> >> signed in for X weeks. How do you kill that session cookie if she no >> >> longer >> >> has ability to check check email to her @mozilla.com >> <http://mozilla.com> address? >> >> >> >> Is there already an established solution for this? >> >> >> >> If not, I'd be up for writing a central solution for talking to our >> >> ldap.mozilla.org <http://ldap.mozilla.org> (which is a derivative >> of Workday). >> >> We can either stand up a service that your server can query or we can >> >> stand >> >> up a service that can webhook-post to you. >> >> >> >> What do you think? >> >> >> >> >> >> -- >> >> Peter Bengtsson >> >> Mozilla Web Engineering >> >> _______________________________________________ >> >> dev-webdev mailing list >> >> [email protected] <mailto:[email protected]> >> >> https://lists.mozilla.org/listinfo/dev-webdev >> >> >> > >> > >> > >> > -- >> > Kind Regards, >> > Schalk Neethling >> > Senior Front-End Engineer >> > Mozilla ::-:: >> > >> >> >> >> -- >> Peter Bengtsson >> Mozilla Web Engineering >> _______________________________________________ >> dev-webdev mailing list >> [email protected] <mailto:[email protected]> >> https://lists.mozilla.org/listinfo/dev-webdev >> >> >> >> _______________________________________________ >> Dev-fxacct mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/dev-fxacct >> > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
