SAML is indeed one method of passing a secure token to another app/service. Implementing SSO would probably be a great move forward to consolidate your source of truth for Fedora users in one location.
Whatever mechanism you choose to use to implement SSO, you need to consider the ease to integrate it with our existing applications. This will likely be a code change for many applications.
Since you want to push Fedocal and Blocker tracking into production, would you mind to change you login forms, that I don't have to enter my FAS password into your application dialog boxes? Although I understand that they are Fedora's application, hosted on Fedora's infrastructure, etc. , I don't feel comfortable to enter my FAS password into various applications, which I consider 3rd party from this perspective.
infrastructure mailing list