<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <span dir="ltr"><<a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank">d.w.chadwick@kent.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 04/08/2015 18:59, Steve Martinelli wrote:<br>
> Right, but that API is/should be protected. If we want to list IdPs<br>
> *before* authenticating a user, we either need: 1) a new API for listing<br>
> public IdPs or 2) a new policy that doesn't protect that API.<br>
<br>
</span>Hi Steve<br>
<br>
yes this was my understanding of the discussion that took place many<br>
months ago. I had assumed (wrongly) that something had been done about<br>
it, but I guess from your message that we are no further forward on this<br>
Actually 2) above might be better reworded as - a new policy/engine that<br>
allows public access to be a bona fide policy rule<br></blockquote><div><br></div><div>The existing policy simply seems wrong. Why protect the list of IdPs?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
regards<br>
<br>
David<br>
<span class=""><br>
><br>
> Thanks,<br>
><br>
> Steve Martinelli<br>
> OpenStack Keystone Core<br>
><br>
</span><span class="">> Inactive hide details for Lance Bragstad ---2015/08/04 01:49:29 PM---On<br>
</span>> Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <drfish@us.iLance Bragstad<br>
<span class="">> ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM, Douglas<br>
> Fish <<a href="mailto:drfish@us.ibm.com">drfish@us.ibm.com</a>> wrote: > Hi David,<br>
><br>
> From: Lance Bragstad <<a href="mailto:lbragstad@gmail.com">lbragstad@gmail.com</a>><br>
> To: "OpenStack Development Mailing List (not for usage questions)"<br>
> <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
> Date: 2015/08/04 01:49 PM<br>
> Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login<br>
><br>
</span>> ------------------------------------------------------------------------<br>
<span class="">><br>
><br>
><br>
><br>
><br>
> On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <_drfish@us.ibm.com_<br>
> <mailto:<a href="mailto:drfish@us.ibm.com">drfish@us.ibm.com</a>>> wrote:<br>
><br>
>     Hi David,<br>
><br>
>     This is a cool looking UI. I've made a minor comment on it in InVision.<br>
><br>
>     I'm curious if this is an implementable idea - does keystone support<br>
>     large<br>
>     numbers of 3rd party idps? is there an API to retreive the list of<br>
>     idps or<br>
>     does this require carefully coordinated configuration between<br>
>     Horizon and<br>
>     Keystone so they both recognize the same list of idps?<br>
><br>
><br>
> There is an API call for getting a list of Identity Providers from Keystone<br>
><br>
</span>> _<a href="http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers_" rel="noreferrer" target="_blank">http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers_</a><br>
><br>
><br>
><br>
>     Doug Fish<br>
><br>
><br>
>     David Chadwick <_d.w.chadwick@kent.ac.uk_<br>
>     <mailto:<a href="mailto:d.w.chadwick@kent.ac.uk">d.w.chadwick@kent.ac.uk</a>>> wrote on 08/01/2015 06:01:48 AM:<br>
><br>
>     > From: David Chadwick <_d.w.chadwick@kent.ac.uk_<br>
>     <mailto:<a href="mailto:d.w.chadwick@kent.ac.uk">d.w.chadwick@kent.ac.uk</a>>><br>
<span class="">>     > To: OpenStack Development Mailing List<br>
</span>>     <_openstack-dev@lists.openstack.org_<br>
>     <mailto:<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>>><br>
<span class="">>     > Date: 08/01/2015 06:05 AM<br>
>     > Subject: [openstack-dev]  [Keystone] [Horizon] Federated Login<br>
>     ><br>
>     > Hi Everyone<br>
>     ><br>
>     > I have a student building a GUI for federated login with Horizon. The<br>
>     > interface supports both a drop down list of configured IDPs, and also<br>
>     > Type Ahead for massive federations with hundreds of IdPs. Screenshots<br>
>     > are visible in InVision here<br>
>     ><br>
</span>>     > _<a href="https://invis.io/HQ3QN2123_" rel="noreferrer" target="_blank">https://invis.io/HQ3QN2123_</a><br>
<span class="">>     ><br>
>     > All comments on the design are appreciated. You can make them directly<br>
>     > to the screens via InVision<br>
>     ><br>
>     > Regards<br>
>     ><br>
>     > David<br>
>     ><br>
>     ><br>
>     ><br>
>     ><br>
>     __________________________________________________________________________<br>
>     > OpenStack Development Mailing List (not for usage questions)<br>
</span>>     > Unsubscribe:_<br>
>     __<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_</a><br>
>     <<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>><br>
>     > _<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_</a><br>
<span class="">>     ><br>
><br>
><br>
>     __________________________________________________________________________<br>
>     OpenStack Development Mailing List (not for usage questions)<br>
>     Unsubscribe:<br>
</span>>     _<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_</a><br>
>     <<a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>>_<br>
>     __<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_</a><br>
<div class="HOEnZb"><div class="h5">><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
><br>
><br>
><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div></div>