On Fri, Apr 26, 2013 at 11:10:33 -0700, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote:
On Thu, Apr 25, 2013 at 11:31 AM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: Yeah, with emphasis on the once other things have moved over, I could probably agree with this. There are some bumpy spots though -- for instance, what happens when an app doesn't have openid support. We also need to be aware that this can be an invasive request. If an application needs to have authz (groups or permissions) then we may not be able to get away with simple openid authn in the application and may need to code our own thing to handle that. We also need to have a certain number of other deployments done to feel confident that openid-for-our-own-apps isn't going to hit any unexpected difficulties. Lack or certain information from fas, inability of openid to scale, insecurities, etc.
If we used SAML, the IdP can provide group membership information which could be used by SPs for authz.
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
