On Fri, Apr 26, 2013 at 11:10:33 -0700,
Toshio Kuratomi <a.badger(a)gmail.com> wrote:
On Thu, Apr 25, 2013 at 11:31 AM, Kevin Fenzi <kevin(a)scrye.com>
wrote:
Yeah, with emphasis on the once other things have moved over, I could
probably agree with this. There are some bumpy spots though -- for
instance, what happens when an app doesn't have openid support. We also
need to be aware that this can be an invasive request. If an application
needs to have authz (groups or permissions) then we may not be able to get
away with simple openid authn in the application and may need to code our
own thing to handle that. We also need to have a certain number of other
deployments done to feel confident that openid-for-our-own-apps isn't going
to hit any unexpected difficulties. Lack or certain information from fas,
inability of openid to scale, insecurities, etc.
If we used SAML, the IdP can provide group membership information which could
be used by SPs for authz.