On 02/19/2015 11:29 AM, Martin Kosek wrote:
On 02/19/2015 05:23 PM, Dmitri Pal wrote:
On 02/19/2015 05:06 AM, Jan Pazdziora wrote:
On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote:
Except where we don't want single sign on, and separate passwords are
advantageous or even required:

   - Web logins
Could you elaborate on the use cases when you'd want your users to log
in using their passwords on a Web login, instead of using SSO, be it
Kerberos or SAML? Is that purely the application not supporting it
or are there some other reasons (you say "we don't want single sign
on" which sounds like a political or compliance issue, not technical

IMO the case is:
I have a phone and a tablet and a laptop.
I do not want to use one password for all three.
On the phone and tablet people save their passwords so I do not want to have
same password cached on all devices. I want to have a password per device.

IMO the way to go is certs rather than passwords.
Certs would certainly help in this case. However, the UX would need to be
really good in order to beat saved password in GMail style, IMO.

I imagine Ipsilon based SSO when Ipsilon can make a decision which assertions to issue depending on the cert you have.

We are not there yet but with upcoming changes we will get much closer.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to