<div dir="ltr">SSO (Single sign-on) is great. There are some problems, though:<br><div><br></div><div>1) If the cloud is private without Internet access, then a private SSO service should be up and runnning</div><div>2) There is no such a thing as OpenStack ID. Should we use Launchpad? Facebook login? Twitter?</div><div>3) Technical difficulties embedding SSO into website.</div><div><br></div><div>As SSO service is often located on the different domain, the browser opens a new window, then open the SSO page there, then redirects to "our" page that uses some cross domain messageing like postMessage to inform main page of login results. The main page closes the popup. The stuff is rather complex, Facebook and other social nets have SDKs that do all the stufff.</div><div><br></div><div>That's certainly not an easy task to make an SSO service, implement SSO SDK and embed in into Horizon. </div><div><br></div><div>Anton</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 6, 2015 at 11:03 PM, Tim Bell <span dir="ltr"><<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-GB" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">From the sound of things, we’re not actually talking about SSO. If so, we would not be talking about the design of a login screen.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">An SSO application such as Horizon would not have a login page. If the user was logged in already through corporate/organisation SSO
page, nothing would appear before the standard Horizon page.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">We strongly encourage our user community that if there is any web page asking for your credentials which is not the CERN standard SSO
page, it is not authorised. Our SSO also supports Google/Twitter/Eduroam etc. logins. Some of these will be refused for OpenStack login so that having a twitter account alone does not get you access to CERN’s cloud resources (but this is an authorisation rather
than authentication problem).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Is there really the use case for a site where there is SSO from a corporate perspective but there is not a federated login SSO capability
? I don’t have a fundamental problem with the approach but we should position it with respect to the use case which is that I login in the morning and all applications I use (cloud and all) are able to recognise that.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Tim<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> Adam Young [mailto:<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>]
<br>
<b>Sent:</b> 06 February 2015 19:48<br>
<b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>
<b>Subject:</b> Re: [openstack-dev] [horizon][keystone]<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On 02/04/2015 03:54 PM, Thai Q Tran wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif">Hi all,<br>
<br>
I have been helping with the websso effort and wanted to get some feedback.<br>
Basically, users are presented with a login screen where they can select: credentials, default protocol, or discovery service.<br>
If user selects credentials, it works exactly the same way it works today.<br>
If user selects default protocol or discovery service, they can choose to be redirected to those pages.<br>
<br>
Keep in mind that this is a prototype, early feedback will be good.<br>
Here are the relevant patches:<br>
<a href="https://review.openstack.org/#/c/136177/" target="_blank">https://review.openstack.org/#/c/136177/</a><br>
<a href="https://review.openstack.org/#/c/136178/" target="_blank">https://review.openstack.org/#/c/136178/</a><br>
<a href="https://review.openstack.org/#/c/151842/" target="_blank">https://review.openstack.org/#/c/151842/</a><br>
<br>
I have attached the files and present them below:</span><u></u><u></u></p>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
Replace the dropdown with a specific link for each protocol type:<br>
<br>
SAML and OpenID are the only real contenders at the moment, but we will not likely have so many that it will clutter up the page.<br>
<br>
Thanks for doing this.<br>
<br>
<u></u><u></u></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif"><br>
<img border="0" width="401" height="559" src="cid:image001.png@01D04247.35BD8B30"><img border="0" width="403" height="559" src="cid:image002.png@01D04247.35BD8B30"><img border="0" width="403" height="415" src="cid:image003.png@01D04247.35BD8B30"><img border="0" width="399" height="413" src="cid:image004.png@01D04247.35BD8B30"><br>
<br>
<br>
</span><br>
<br>
<br>
<u></u><u></u></p>
<pre>__________________________________________________________________________<u></u><u></u></pre>
<pre>OpenStack Development Mailing List (not for usage questions)<u></u><u></u></pre>
<pre>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><u></u><u></u></pre>
<pre><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></pre>
</blockquote>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>