Ryan Lane <[email protected]> writes: > Making a provider is relatively simple and is a great way of providing SSO > for a set of applications you maintain. There's a number of good provider > implementations around. A good way of handling OpenID for our applications > would be to make all of the applications use our OpenID provider as a > central forced provider, then to work on making the provider allow other > forms of authentication, like persona, or possibly OpenID as a consumer if > a usable interface can be made.
I like this idea. We have a number of applications which all support OpenID, and we are using that now, successfully, in an SSO style (where we force authn via the Launchpad OpenID provider). So this changes very little about how most of our sites perform authentication. By using OpenID as a federation protocol among OpenStack related sites, and running an OpenID provider to support that, we can incrementally change our single-sign-on system. The OpenID provider can evolve to support authentication via Persona and be an OpenID consumer itself (in addition to local password storage). We can also, in the future, consider supporting other methods of federation (LDAP, oauth, etc) out from the provider. Basically, it's flexible, works with all our current systems, and lets us change things incrementally. -Jim _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
