[openstack-dev] [Keystone] [Horizon] Federated Login

David Chadwick d.w.chadwick at kent.ac.uk
Wed Aug 5 10:54:22 UTC 2015



On 04/08/2015 17:51, Lin Hua Cheng wrote:
> Hi David,
> 
> There was a similar effort in Kilo to design the flow in the login page
> for federated login[1].   WebSSO feature[2] was implemented in Kilo, it
> allows the user to perform federated login by selecting an IdP
> protocol.  This have tested with kerberos and saml2.  

This is not a very user friendly thing to do. Users typically have no
idea what a federation protocol is, and wont know which one to select.
They will however know which organisation (IdP) they are associated with
and can use for federated login. We have been following the best
practice guide available here

https://discovery.refeds.org/guide/

> 
> There is a proposal to extend that feature to show listing per
> Idp/Protocol instead [3], because just listing only by protocol is
> fairly limited . 

Our intention is to list by organisation/IdP only and not to mention the
protocol to the user, since it is meaningless to him. Horizon can work
the protocol out itself and use the correct one, without burdening the
user with extra mental effort that will only confuse, frustrate and distress


> 
> I think the Type Ahead can fit it nicely when we implement the support
> for WebSSO by IdP/Protocol.

Agreed, type ahead was introduced after many years of simple listing,
since once federation grew to any appreciable size, the listing became
unusable.

regards

David

> 
> thanks,
> Lin
> 
> [1] https://openstack.invisionapp.com/d/main#/projects/2784587
> [2] http://docs.openstack.org/developer/keystone/extensions/websso.html
> [3] https://review.openstack.org/#/c/199339/
> 
> 
> https://review.openstack.org/#/c/199339/
> 
> On Sat, Aug 1, 2015 at 4:01 AM, David Chadwick <d.w.chadwick at kent.ac.uk
> <mailto:d.w.chadwick at kent.ac.uk>> wrote:
> 
>     Hi Everyone
> 
>     I have a student building a GUI for federated login with Horizon. The
>     interface supports both a drop down list of configured IDPs, and also
>     Type Ahead for massive federations with hundreds of IdPs. Screenshots
>     are visible in InVision here
> 
>     https://invis.io/HQ3QN2123
> 
>     All comments on the design are appreciated. You can make them directly
>     to the screens via InVision
> 
>     Regards
> 
>     David
> 
> 
> 
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list