On Fri, Apr 26, 2013 at 01:57:17PM -0500, Bruno Wolff III wrote:
On Fri, Apr 26, 2013 at 11:10:33 -0700,
Toshio Kuratomi <a.badger(a)gmail.com> wrote:
>On Thu, Apr 25, 2013 at 11:31 AM, Kevin Fenzi <kevin(a)scrye.com> wrote:
>Yeah, with emphasis on the once other things have moved over, I could
>probably agree with this. There are some bumpy spots though -- for
>instance, what happens when an app doesn't have openid support. We also
>need to be aware that this can be an invasive request. If an application
>needs to have authz (groups or permissions) then we may not be able to get
>away with simple openid authn in the application and may need to code our
>own thing to handle that. We also need to have a certain number of other
>deployments done to feel confident that openid-for-our-own-apps isn't going
>to hit any unexpected difficulties. Lack or certain information from fas,
>inability of openid to scale, insecurities, etc.
If we used SAML, the IdP can provide group membership information
which could be used by SPs for authz.
We looked into SAML at one point and decided not to use it. I can't
remember the details though.
From looking around very briefly, I'm not sure that very many things have
out-of-the-box support for SAML So we'd probably have to write something
to use SAML for each app instead of having to write something to use the
teams OpenID extension where necessary. That seems like more work overall.