On Sun, Aug 10, 2014 at 12:41 PM, Philipp Kaluza <[email protected]> wrote: > Hi Robinson, Jean, Alexander, and everybody else interested in SSO,
:-) > I'd hate to have a huge discussion about the pro's and cons of each > here; I think we'll need to decide based on available volunteer experience. Available experience is helpful, but I think we shouldn't dismiss something new if we think that it's the best path forward. > Connecting services to the directory is a pain in each individual > instance, so I'd like to see a list of services that actually should use > this shared user database. > I'll start: > - libo machines' admin users > - redmine [2] > (shouldn't be much harder than trac, which I've done) AskLibreOffice, Gerrit, and Redmine all use/support OpenID right now. Additional services that should/could use shared user database: MozTrap Silverstripe (?) Conference site Conference registration (if separate) ownCloud TDF Wiki Mailing list subscriptions/prefs?? (right now there's no user-interface GUI at all) > > The report in [2] also talks about bugzilla, which I think will be a > major pain in either case, so I'm not listing it here as realistic. > > [2] https://redmine.documentfoundation.org/issues/308 Bugzilla would be a huge win for us, especially as it's one of our primary mechanisms for interaction w/users. It would also allow us to do some nifty things between Bugzilla/AskLbireOffice in the future. > On the topic of SSO via OpenID, I'd like to point to a similar > discussion happening in Gnome currently. [3] [4] > > [3] https://www.dragonsreach.it/2014/08/05/back-from-guadec-2014/ > [4] http://patrick.uiterwijk.org/2014/07/28/gnome-authentication/ > [5] https://id.gnome.org/ Wow! That's sounding pretty awesome, especially the integration with Bugzilla and ownCloud, as we use those services as well. Good thing that we're friends with the Gnome folks...maybe we can invite them for a chat :-) > If we go for web-based SSO, I like the interface that canonical is > running (login.ubuntu.com / login.launchpad.net) - two seperate login > pages using the same credentials database, which is a horrible hack for > legacy reasons. But the interface seems well-integrated, and I can ask > my browser to keep cookies from a single site. Yeah, don't get me started on what happened with Launchpad/Ubuntu One/whatever. Lesson learned: Make sure that your users know what's changing and how before you re-brand or change systems around. > On the backend side: most of these "let's deploy a web-SSO" solutions > run on a relational database in the backend, which I'm not too keen on > for security reasons. The admins would need to make sure there's a > dedicated, well-secured database server. If anybody knows one that can > use LDAP as a credentials store, please point it out. What would be the alternative for storing data on the backend? > still quoting Jean: >> with the ultimate aim to reduce the >> burden which comes from having an additional user account (needing to >> remember credentials, etc.). > I'd explicitly name reducing administrator / moderator burden as well. > If this creates more work, we'll not establish a solution that will be > maintained and used long-term. Yes, simplifying burden for admins/mods is another big piece of the puzzle. To speak directly to both Jean's point and Philipp's point, many of the inquiries we receive regarding AskLibreOffice are related to login problems and/or a desire not to have to trust a 3rd party for an OpenID server. If we run our own identiy server and provide centralized, documented instructions on how to log-in, I think we'd greatly improve the user and moderator experience with multiple pieces of our infra. Best, --R -- Robinson Tryon LibreOffice Community Outreach Herald Senior QA Bug Wrangler The Document Foundation [email protected] -- To unsubscribe e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
