<div dir="ltr">Forcing Horizon to duplicate Keystone settings just makes everything much harder to configure and much more fragile. Exposing whitelisted, or all, IdPs makes much more sense.</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 5, 2015 at 1:33 PM, Dolph Mathews <span dir="ltr"><<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class=""><div class="gmail_extra">On Wed, Aug 5, 2015 at 1:02 PM, Steve Martinelli <span dir="ltr"><<a href="mailto:stevemar@ca.ibm.com" target="_blank">stevemar@ca.ibm.com</a>></span> wrote:<br></div></span><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
<p><font size="2" face="sans-serif">Some folks said that they'd prefer not to list all associated idps, which i can understand.</font></p></div></blockquote></span><div>Why?<br></div><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><p><br>
<br>
<font size="2" face="sans-serif">Actually, I like jamie's suggestion of just making horizon a bit smarter, and expecting the values in the horizon settings (idp+protocol)</font></p></div></blockquote></span><div>But, it's already in keystone.<br></div><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><p><span><br>
<font size="2" face="sans-serif"><br>
Thanks,<br>
<br>
Steve Martinelli<br>
OpenStack Keystone Core</font><br>
<br>
</span><img width="16" height="16" src="cid:1__=0ABBF40BDFF17F4E8f9e8a93df938@ca.ibm.com" border="0" alt="Inactive hide details for Dolph Mathews ---2015/08/05 01:38:09 PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <d.w.chadwic"><font size="2" color="#424282" face="sans-serif">Dolph Mathews ---2015/08/05 01:38:09 PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <<a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank">d.w.chadwick@kent.ac.uk</a>> wrote:</font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">Dolph Mathews <<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>></font><span><br>
<font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif">"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>></font><br>
</span><font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">2015/08/05 01:38 PM</font><span><br>
<font size="1" color="#5F5F5F" face="sans-serif">Subject: </font><font size="1" face="sans-serif">Re: [openstack-dev] [Keystone] [Horizon] Federated Login</font><br>
</span></p><hr width="100%" size="2" align="left" noshade style="color:#8091a5"><div><div><br>
<br>
<br>
<br>
<font size="3" face="serif">On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <</font><a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank"><font size="3" color="#0000FF" face="serif"><u>d.w.chadwick@kent.ac.uk</u></font></a><font size="3" face="serif">> wrote:</font>
<ul style="padding-left:9pt"><font size="3" face="serif"><br>
<br>
On 04/08/2015 18:59, Steve Martinelli wrote:<br>
> Right, but that API is/should be protected. If we want to list IdPs<br>
> *before* authenticating a user, we either need: 1) a new API for listing<br>
> public IdPs or 2) a new policy that doesn't protect that API.<br>
<br>
Hi Steve<br>
<br>
yes this was my understanding of the discussion that took place many<br>
months ago. I had assumed (wrongly) that something had been done about<br>
it, but I guess from your message that we are no further forward on this<br>
Actually 2) above might be better reworded as - a new policy/engine that<br>
allows public access to be a bona fide policy rule</font></ul>
<br>
<font size="3" face="serif">The existing policy simply seems wrong. Why protect the list of IdPs?</font><br>
<font size="3" face="serif"> </font>
<ul style="padding-left:9pt"><font size="3" face="serif"><br>
regards<br>
<br>
David<br>
<br>
><br>
> Thanks,<br>
><br>
> Steve Martinelli<br>
> OpenStack Keystone Core<br>
><br>
> Inactive hide details for Lance Bragstad ---2015/08/04 01:49:29 PM---On<br>
> Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <drfish@us.iLance Bragstad<br>
> ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM, Douglas<br>
> Fish <</font><a href="mailto:drfish@us.ibm.com" target="_blank"><font size="3" color="#0000FF" face="serif"><u>drfish@us.ibm.com</u></font></a><font size="3" face="serif">> wrote: > Hi David,<br>
><br>
> From: Lance Bragstad <</font><a href="mailto:lbragstad@gmail.com" target="_blank"><font size="3" color="#0000FF" face="serif"><u>lbragstad@gmail.com</u></font></a><font size="3" face="serif">><br>
> To: "OpenStack Development Mailing List (not for usage questions)"<br>
> <</font><a href="mailto:openstack-dev@lists.openstack.org" target="_blank"><font size="3" color="#0000FF" face="serif"><u>openstack-dev@lists.openstack.org</u></font></a><font size="3" face="serif">><br>
> Date: 2015/08/04 01:49 PM<br>
> Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login<br>
><br>
> ------------------------------------------------------------------------<br>
><br>
><br>
><br>
><br>
><br>
> On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <_drfish@us.ibm.com_<br>
> <mailto:</font><a href="mailto:drfish@us.ibm.com" target="_blank"><font size="3" color="#0000FF" face="serif"><u>drfish@us.ibm.com</u></font></a><font size="3" face="serif">>> wrote:<br>
><br>
> Hi David,<br>
><br>
> This is a cool looking UI. I've made a minor comment on it in InVision.<br>
><br>
> I'm curious if this is an implementable idea - does keystone support<br>
> large<br>
> numbers of 3rd party idps? is there an API to retreive the list of<br>
> idps or<br>
> does this require carefully coordinated configuration between<br>
> Horizon and<br>
> Keystone so they both recognize the same list of idps?<br>
><br>
><br>
> There is an API call for getting a list of Identity Providers from Keystone<br>
><br>
> _</font><a href="http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers_" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers_</u></font></a><font size="3" face="serif"><br>
><br>
><br>
><br>
> Doug Fish<br>
><br>
><br>
> David Chadwick <_d.w.chadwick@kent.ac.uk_<br>
> <mailto:</font><a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank"><font size="3" color="#0000FF" face="serif"><u>d.w.chadwick@kent.ac.uk</u></font></a><font size="3" face="serif">>> wrote on 08/01/2015 06:01:48 AM:<br>
><br>
> > From: David Chadwick <_d.w.chadwick@kent.ac.uk_<br>
> <mailto:</font><a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank"><font size="3" color="#0000FF" face="serif"><u>d.w.chadwick@kent.ac.uk</u></font></a><font size="3" face="serif">>><br>
> > To: OpenStack Development Mailing List<br>
> <_openstack-dev@lists.openstack.org_<br>
> <mailto:</font><a href="mailto:openstack-dev@lists.openstack.org" target="_blank"><font size="3" color="#0000FF" face="serif"><u>openstack-dev@lists.openstack.org</u></font></a><font size="3" face="serif">>><br>
> > Date: 08/01/2015 06:05 AM<br>
> > Subject: [openstack-dev] [Keystone] [Horizon] Federated Login<br>
> ><br>
> > Hi Everyone<br>
> ><br>
> > I have a student building a GUI for federated login with Horizon. The<br>
> > interface supports both a drop down list of configured IDPs, and also<br>
> > Type Ahead for massive federations with hundreds of IdPs. Screenshots<br>
> > are visible in InVision here<br>
> ><br>
> > _</font><a href="https://invis.io/HQ3QN2123_" target="_blank"><font size="3" color="#0000FF" face="serif"><u>https://invis.io/HQ3QN2123_</u></font></a><font size="3" face="serif"><br>
> ><br>
> > All comments on the design are appreciated. You can make them directly<br>
> > to the screens via InVision<br>
> ><br>
> > Regards<br>
> ><br>
> > David<br>
> ><br>
> ><br>
> ><br>
> ><br>
> __________________________________________________________________________<br>
> > OpenStack Development Mailing List (not for usage questions)<br>
> > Unsubscribe:_<br>
> __</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_" target="_blank"><font size="3" color="#0000FF" face="serif"><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_</u></font></a><font size="3" face="serif"><br>
> <</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font size="3" face="serif">><br>
> > _</font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_</u></font></a><font size="3" face="serif"><br>
> ><br>
><br>
><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe:<br>
> _</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_" target="_blank"><font size="3" color="#0000FF" face="serif"><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_</u></font></a><font size="3" face="serif"><br>
> <</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font size="3" face="serif">>_<br>
> __</font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_</u></font></a><br>
<font size="3" face="serif">><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><font size="3" color="#0000FF" face="serif"><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font size="3" face="serif"><br>
> </font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a><font size="3" face="serif"><br>
><br>
><br>
><br>
><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><font size="3" color="#0000FF" face="serif"><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font size="3" face="serif"><br>
> </font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a><font size="3" face="serif"><br>
><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><font size="3" color="#0000FF" face="serif"><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font size="3" color="#0000FF" face="serif"><u><br>
</u></font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><font size="3" color="#0000FF" face="serif"><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a></ul>
<tt><font size="2">__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
</font></tt><tt><font size="2"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></font></tt><tt><font size="2"><br>
</font></tt><br>
<br>
</div></div><p></p></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div></div></div><br></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>