On Tue, Apr 28, 2020 at 07:48, Adrian Schröter
Hi Stasiek,
On Dienstag, 28. April 2020, 06:44:08 CEST wrote Stasiek Michalski:
We have deployed: * FreeIPA, as a backend to all of the other systems internally * Ipsilon, to provide us with sso capabilities to FreeIPA accounts https://sso.opensuse.org * Noggin, as a self-service portal, so people can register and modify their FreeIPA accounts https://accounts.opensuse.org (behind VPN for now, just so we don't get any random people signing up)
The solution already works, albeit without the previous accounts, which will be imported once we have recieved a cut-down dump of user data from SUSE.
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
Discussions on OBS's support of any other technologies should happen in https://github.com/openSUSE/open-build-service/issues/9122, we reported this as soon as we started with a realization that OBS will be the only problematic piece of software, since only it doesn't support what is required. This might require further explanation though: * OSEM is built on OmniAuth, so switching login provider is not a big deal [1] * openQA uses openSUSE OpenID provider [2] * Wikis, based on Mediawiki, which has an OIDC plugin for login [3] * TSP and other devise based apps can use OmniAuth [4] so by extension [1] * Redmine has an OpenID Connect plugin [5] * Jenkins uses OpenID already * CAS bound applications may use mod_auth_* plugins, since they set response headers in a similar fashion, so that should be mostly compatible As a sidenote to the existing OpenID support, we would like to deprecate the existing endpoint in a year or two, since the fact that is has slashes in resulting ids causes some issues with the existing applications, especially ones using php openid library (that includes paste.opensuse.org). This means the new endpoint will be on sso.opensuse.org and not www.opensuse.org/openid/user anymore. This means a change in internal OpenIDs would be from www.opensuse.org/openid/user/$username to $username.sso.opensuse.org LCP [Stasiek] https://lcp.world [1] https://github.com/m0n9oose/omniauth_openid_connect [2] https://github.com/os-autoinst/openQA/blob/master/docs/Installing.asciidoc#o... [3] https://www.mediawiki.org/wiki/Extension:OpenID_Connect [4] https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview [5] https://github.com/devopskube/redmine_openid_connect -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org