[opensuse-web] openSUSE SSO Background
Hello All, As we work through some of the growing pains of moving openSUSE.org onto a new SSO (single sign-on) system, I feel it would be a good idea to give some background and technical information as to why we are doing this and what the community should expect. Until yesterday, the openSUSE landing page, blogs, and wikis were running on a product called iChain. iChain is an appliance that acts as an accelerating (caching) proxy that can perform SSO, authorization, and identity injection for applications. While iChain does its job very well, it was discontinued a number of years ago, and we are running into a number of problems with trying to keep it in service. One is that it will not run on any new hardware, and the hardware that it is running on is very old. Another is that it will not work with newer certificates and browsers running newer versions of TLS. Those of you who have tried to log visit openSUSE sites with iOS 5 have probably noticed this already. Because of these issues, we are working on a project to move all iChain sites to Novell Access Manager. Novell Access Manager is the successor to iChain. While it is slightly more buggy than iChain, it has a lot of additional features, and is an actively developed and supported product. Recent builds have also been much more stable and issue-free. It works on a different principle than iChain in that it is based on a federation model. This makes SSO across domains and organizations much easier. For example, openSUSE.org is now single sign-on with novell.com and suse.com. We can also do SAML 2 federation with other sites, if that ever becomes necessary. While we are working on moving the rest of the Novell related sites to Access Manager, we are running in what we call "migration mode". In this setup, iChain continues to handle the authentication for itself and Novell Access Manager. This allows us to retain single sign-on between the two systems as we migrate. As some of you have noticed, a side effect of this is that the openSUSE sites now log in via a Novell-branded login page. When the rest of the sites have been moved off of iChain, we will be able to change back to an openSUSE branded login. This will probably take some time, but we will get there. Since the openSUSE blogs, wikis, and forums were running on a single iChain server that is out of warranty and irreplaceable, they were among the first sites to be moved to Access Manager. While this provides some benefits, it may also provide some headaches as we identify and resolve issues. Thanks for your patience as we continue to work through these problems. -Matt
participants (1)
-
Matthew Ehle