----- Original Message -----
> From: "Steve Martinelli" <[email protected]>
> To: "OpenStack Development Mailing List (not for usage questions)"
> <[email protected]>
> Sent: Wednesday, August 5, 2015 3:59:34 AM
> Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
>
>
>
> Right, but that API is/should be protected. If we want to list IdPs *before*
> authenticating a user, we either need: 1) a new API for listing public IdPs
> or 2) a new policy that doesn't protect that API.
>
> Thanks,
Is there a real requirement here for this to be a dynamic listing as opposed to
something that can be edited from the horizon local_settings? There are obvious
use cases for both situations where you want this to be dynamic or you very
carefully want to protect which IdPs are available to log in with and from that
perspective it would be a very unusual API for keystone to have.
My understanding of the current websso design where we always logged in via
/v3/OS-FEDERATION/auth/websso/{protocol} was so that you would run a discovery
page on that address that allowed you to customize which IdPs you exposed
outside of keystone. Personally i don't like this which is what i wrote this
spec[1] was for. However my intention there would have been to manually specify
in the local_settings what IdPs were available and reuse the current horizon
WebSSO drop down box.
Jamie
[1] https://review.openstack.org/#/c/199339/
> Steve Martinelli
> OpenStack Keystone Core
>
> Lance Bragstad ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM,
> Douglas Fish <[email protected]> wrote: > Hi David,
>
> From: Lance Bragstad <[email protected]>
> To: "OpenStack Development Mailing List (not for usage questions)"
> <[email protected]>
> Date: 2015/08/04 01:49 PM
> Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
>
>
>
>
>
>
> On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish < [email protected] > wrote:
>
> Hi David, This is a cool looking UI. I've made a minor comment on it in
> InVision. I'm curious if this is an implementable idea - does keystone
> support large numbers of 3rd party idps? is there an API to retreive the
> list of idps or does this require carefully coordinated configuration
> between Horizon and Keystone so they both recognize the same list of idps?
> There is an API call for getting a list of Identity Providers from Keystone
>
> http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers
>
>
>
> Doug Fish David Chadwick < [email protected] > wrote on 08/01/2015
> 06:01:48 AM: > From: David Chadwick < [email protected] > > To:
> OpenStack Development Mailing List < [email protected] > >
> Date: 08/01/2015 06:05 AM > Subject: [openstack-dev] [Keystone] [Horizon]
> Federated Login > > Hi Everyone > > I have a student building a GUI for
> federated login with Horizon. The > interface supports both a drop down list
> of configured IDPs, and also > Type Ahead for massive federations with
> hundreds of IdPs. Screenshots > are visible in InVision here > >
> https://invis.io/HQ3QN2123 > > All comments on the design are appreciated.
> You can make them directly > to the screens via InVision > > Regards > >
> David > > > >
> __________________________________________________________________________ >
> OpenStack Development Mailing List (not for usage questions) > Unsubscribe:
> [email protected]?subject:unsubscribe >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions) Unsubscribe:
> [email protected]?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: [email protected]?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: [email protected]?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
