On Thu, 2015-02-19 at 11:32 -0500, Dmitri Pal wrote: > On 02/19/2015 11:29 AM, Martin Kosek wrote: > > On 02/19/2015 05:23 PM, Dmitri Pal wrote: > >> On 02/19/2015 05:06 AM, Jan Pazdziora wrote: > >>> On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: > >>>> Except where we don't want single sign on, and separate passwords are > >>>> advantageous or even required: > >>>> > >>>> - Web logins > >>> Could you elaborate on the use cases when you'd want your users to log > >>> in using their passwords on a Web login, instead of using SSO, be it > >>> Kerberos or SAML? Is that purely the application not supporting it > >>> or are there some other reasons (you say "we don't want single sign > >>> on" which sounds like a political or compliance issue, not technical > >>> one). > >>> > >> IMO the case is: > >> I have a phone and a tablet and a laptop. > >> I do not want to use one password for all three. > >> On the phone and tablet people save their passwords so I do not want to > >> have > >> same password cached on all devices. I want to have a password per device. > >> > >> IMO the way to go is certs rather than passwords. > > Certs would certainly help in this case. However, the UX would need to be > > really good in order to beat saved password in GMail style, IMO. > > I imagine Ipsilon based SSO when Ipsilon can make a decision which > assertions to issue depending on the cert you have.
A lot of apps can't do certs. I mentioned to someone (Nathan, did I talk with you ?) a few weeks ago during DevConf.cz an idea I have to actually build application passwords (and more) support. I will try to come up with a design page as soon as I get a moment to put down my tougths coherently. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
