<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" >I agree with Lance. Quite honestly, the list of Idps does not belong in horizon's settings. Just throwing out some ideas, why not white-list the Idps you want public it in keystone's settings, and have an API call for that?</div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr" >----- Original message -----<br>From: Lance Bragstad <lbragstad@gmail.com><br>To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org><br>Cc:<br>Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login<br>Date: Wed, Aug 5, 2015 11:19 AM<br> 
<div dir="ltr" > 
<div> 
<div>On Wed, Aug 5, 2015 at 1:02 PM, Steve Martinelli <span dir="ltr" ><<a href="mailto:stevemar@ca.ibm.com" target="_blank" >stevemar@ca.ibm.com</a>></span> wrote:

<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" ><div><p><font face="sans-serif" size="2" >Some folks said that they'd prefer not to list all associated idps, which i can understand.</font><br><br><font face="sans-serif" size="2" >Actually, I like jamie's suggestion of just making horizon a bit smarter, and expecting the values in the horizon settings (idp+protocol)</font></p></div></blockquote>
<div> </div>
<div>This *might* lead to a more complicated user experience, unless we deduce the protocol for the IdP selected (but that would defeat the point?). Also, wouldn't we have to make changes to Horizon every time we add an IdP? This might be case by case, but if you're consistently adding Identity Providers, then your ops team might not be too happy reconfiguring Horizon all the time. </div>
<div> </div>
<blockquote style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" ><div><p><br><br><span><font face="sans-serif" size="2" >Thanks,<br><br>Steve Martinelli<br>OpenStack Keystone Core</font></span><br><br><img alt="Inactive hide details for Dolph Mathews ---2015/08/05 01:38:09 PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <d.w.chadwic" border="0" height="16" src="cid:1__=0ABBF40BDFF17F4E8f9e8a93df938@ca.ibm.com" width="16" ><font color="#424282" face="sans-serif" size="2" >Dolph Mathews ---2015/08/05 01:38:09 PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <<a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank" >d.w.chadwick@kent.ac.uk</a>> wrote:</font><br><br><font color="#5F5F5F" face="sans-serif" size="1" >From: </font><font face="sans-serif" size="1" >Dolph Mathews <<a href="mailto:dolph.mathews@gmail.com" target="_blank" >dolph.mathews@gmail.com</a>></font><br><span><font color="#5F5F5F" face="sans-serif" size="1" >To: </font><font face="sans-serif" size="1" >"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank" >openstack-dev@lists.openstack.org</a>></font></span><br><font color="#5F5F5F" face="sans-serif" size="1" >Date: </font><font face="sans-serif" size="1" >2015/08/05 01:38 PM</font><br><span><font color="#5F5F5F" face="sans-serif" size="1" >Subject: </font><font face="sans-serif" size="1" >Re: [openstack-dev] [Keystone] [Horizon] Federated Login</font></span></p>
<hr align="left" size="2" style="color:#8091a5" width="100%" ><div><div><br><br><br><br><font face="serif" size="3" >On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <</font><a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>d.w.chadwick@kent.ac.uk</u></font></a><font face="serif" size="3" >> wrote:</font>
<ul style="padding-left: 9pt; list-style-type: none;" ><br>        <br>        <br>         
        <li><font face="serif" size="3" >On 04/08/2015 18:59, Steve Martinelli wrote:<br>        > Right, but that API is/should be protected. If we want to list IdPs<br>        > *before* authenticating a user, we either need: 1) a new API for listing<br>        > public IdPs or 2) a new policy that doesn't protect that API.<br>        <br>        Hi Steve<br>        <br>        yes this was my understanding of the discussion that took place many<br>        months ago. I had assumed (wrongly) that something had been done about<br>        it, but I guess from your message that we are no further forward on this<br>        Actually 2) above might be better reworded as - a new policy/engine that<br>        allows public access to be a bona fide policy rule</font></li></ul><br><font face="serif" size="3" >The existing policy simply seems wrong. Why protect the list of IdPs?</font><br><font face="serif" size="3" > </font>
<ul style="padding-left: 9pt; list-style-type: none;" ><br>        <li><font face="serif" size="3" >regards<br>        <br>        David<br>        <br>        ><br>        > Thanks,<br>        ><br>        > Steve Martinelli<br>        > OpenStack Keystone Core<br>        ><br>        > Inactive hide details for Lance Bragstad ---2015/08/04 01:49:29 PM---On<br>        > Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <drfish@us.iLance Bragstad<br>        > ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM, Douglas<br>        > Fish <</font><a href="mailto:drfish@us.ibm.com" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>drfish@us.ibm.com</u></font></a><font face="serif" size="3" >> wrote: > Hi David,<br>        ><br>        > From: Lance Bragstad <</font><a href="mailto:lbragstad@gmail.com" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>lbragstad@gmail.com</u></font></a><font face="serif" size="3" >><br>        > To: "OpenStack Development Mailing List (not for usage questions)"<br>        > <</font><a href="mailto:openstack-dev@lists.openstack.org" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>openstack-dev@lists.openstack.org</u></font></a><font face="serif" size="3" >><br>        > Date: 2015/08/04 01:49 PM<br>        > Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login<br>        ><br>        > ------------------------------------------------------------------------<br>        ><br>        ><br>        ><br>        ><br>        ><br>        > On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <_drfish@us.ibm.com_<br>        > <mailto:</font><a href="mailto:drfish@us.ibm.com" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>drfish@us.ibm.com</u></font></a><font face="serif" size="3" >>> wrote:<br>        ><br>        >     Hi David,<br>        ><br>        >     This is a cool looking UI. I've made a minor comment on it in InVision.<br>        ><br>        >     I'm curious if this is an implementable idea - does keystone support<br>        >     large<br>        >     numbers of 3rd party idps? is there an API to retreive the list of<br>        >     idps or<br>        >     does this require carefully coordinated configuration between<br>        >     Horizon and<br>        >     Keystone so they both recognize the same list of idps?<br>        ><br>        ><br>        > There is an API call for getting a list of Identity Providers from Keystone<br>        ><br>        > _</font><a href="http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers_" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers_</u></font></a><br>        <font face="serif" size="3" >><br>        ><br>        ><br>        >     Doug Fish<br>        ><br>        ><br>        >     David Chadwick <_d.w.chadwick@kent.ac.uk_<br>        >     <mailto:</font><a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>d.w.chadwick@kent.ac.uk</u></font></a><font face="serif" size="3" >>> wrote on 08/01/2015 06:01:48 AM:<br>        ><br>        >     > From: David Chadwick <_d.w.chadwick@kent.ac.uk_<br>        >     <mailto:</font><a href="mailto:d.w.chadwick@kent.ac.uk" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>d.w.chadwick@kent.ac.uk</u></font></a><font face="serif" size="3" >>><br>        >     > To: OpenStack Development Mailing List<br>        >     <_openstack-dev@lists.openstack.org_<br>        >     <mailto:</font><a href="mailto:openstack-dev@lists.openstack.org" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>openstack-dev@lists.openstack.org</u></font></a><font face="serif" size="3" >>><br>        >     > Date: 08/01/2015 06:05 AM<br>        >     > Subject: [openstack-dev]  [Keystone] [Horizon] Federated Login<br>        >     ><br>        >     > Hi Everyone<br>        >     ><br>        >     > I have a student building a GUI for federated login with Horizon. The<br>        >     > interface supports both a drop down list of configured IDPs, and also<br>        >     > Type Ahead for massive federations with hundreds of IdPs. Screenshots<br>        >     > are visible in InVision here<br>        >     ><br>        >     > _</font><a href="https://invis.io/HQ3QN2123_" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>https://invis.io/HQ3QN2123_</u></font></a><br>        <font face="serif" size="3" >>     ><br>        >     > All comments on the design are appreciated. You can make them directly<br>        >     > to the screens via InVision<br>        >     ><br>        >     > Regards<br>        >     ><br>        >     > David<br>        >     ><br>        >     ><br>        >     ><br>        >     ><br>        >     __________________________________________________________________________<br>        >     > OpenStack Development Mailing List (not for usage questions)<br>        >     > Unsubscribe:_<br>        >     __</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_</u></font></a><br>        <font face="serif" size="3" >>     <</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font face="serif" size="3" >><br>        >     > _</font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_</u></font></a><br>        <font face="serif" size="3" >>     ><br>        ><br>        ><br>        >     __________________________________________________________________________<br>        >     OpenStack Development Mailing List (not for usage questions)<br>        >     Unsubscribe:<br>        >     _</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe_</u></font></a><br>        <font face="serif" size="3" >>     <</font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><font face="serif" size="3" >>_<br>        >     __</font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_</u></font></a><br>        <font face="serif" size="3" >><br>        > __________________________________________________________________________<br>        > OpenStack Development Mailing List (not for usage questions)<br>        > Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><br>        <font face="serif" size="3" >> </font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a><br>        <font face="serif" size="3" >><br>        ><br>        ><br>        ><br>        > __________________________________________________________________________<br>        > OpenStack Development Mailing List (not for usage questions)<br>        > Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><br>        <font face="serif" size="3" >> </font><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a><br>        <font face="serif" size="3" >><br>        <br>        __________________________________________________________________________<br>        OpenStack Development Mailing List (not for usage questions)<br>        Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</u></font></a><br>        <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank" ><font color="#0000FF" face="serif" size="3" ><u>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</u></font></a></li></ul><tt><font face="" size="3" >__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank" >OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></font></tt><br><tt><font face="" size="3" ><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank" >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></font></tt><br><br> </div></div>
<p> </p></div><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank" >OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank" >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br> </blockquote></div></div></div>
<div><font face="Default Monospace,Courier New,Courier,monospace" size="2" >__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank" >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></font></div></blockquote>
<div dir="ltr" > </div></div>
<BR>