----- Original message -----
From: Lance Bragstad <lbrags...@gmail.com>
To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev@lists.openstack.org>
Cc:
Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
Date: Wed, Aug 5, 2015 11:19 AM
On Wed, Aug 5, 2015 at 1:02 PM, Steve Martinelli
<steve...@ca.ibm.com <mailto:steve...@ca.ibm.com>> wrote:
Some folks said that they'd prefer not to list all associated
idps, which i can understand.
Actually, I like jamie's suggestion of just making horizon a bit
smarter, and expecting the values in the horizon settings
(idp+protocol)
This *might* lead to a more complicated user experience, unless we
deduce the protocol for the IdP selected (but that would defeat the
point?). Also, wouldn't we have to make changes to Horizon every
time we add an IdP? This might be case by case, but if you're
consistently adding Identity Providers, then your ops team might not
be too happy reconfiguring Horizon all the time.
Thanks,
Steve Martinelli
OpenStack Keystone Core
Inactive hide details for Dolph Mathews ---2015/08/05 01:38:09
PM---On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick
<d.w.chadwicDolph Mathews ---2015/08/05 01:38:09 PM---On Wed,
Aug 5, 2015 at 5:39 AM, David Chadwick <d.w.chadw...@kent.ac.uk
<mailto:d.w.chadw...@kent.ac.uk>> wrote:
From: Dolph Mathews <dolph.math...@gmail.com
<mailto:dolph.math...@gmail.com>>
To: "OpenStack Development Mailing List (not for usage
questions)" <openstack-dev@lists.openstack.org
<mailto:openstack-dev@lists.openstack.org>>
Date: 2015/08/05 01:38 PM
Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
------------------------------------------------------------------------
On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick
<_d.w.chadw...@kent.ac.uk_ <mailto:d.w.chadw...@kent.ac.uk>> wrote:
* On 04/08/2015 18:59, Steve Martinelli wrote:
> Right, but that API is/should be protected. If we want to
list IdPs
> *before* authenticating a user, we either need: 1) a new
API for listing
> public IdPs or 2) a new policy that doesn't protect that API.
Hi Steve
yes this was my understanding of the discussion that took
place many
months ago. I had assumed (wrongly) that something had been
done about
it, but I guess from your message that we are no further
forward on this
Actually 2) above might be better reworded as - a new
policy/engine that
allows public access to be a bona fide policy rule
The existing policy simply seems wrong. Why protect the list of
IdPs?
* regards
David
>
> Thanks,
>
> Steve Martinelli
> OpenStack Keystone Core
>
> Inactive hide details for Lance Bragstad ---2015/08/04
01:49:29 PM---On
> Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish
<drfish@us.iLance Bragstad
> ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52
AM, Douglas
> Fish <_drf...@us.ibm.com_ <mailto:drf...@us.ibm.com>>
wrote: > Hi David,
>
> From: Lance Bragstad <_lbragstad@gmail.com_
<mailto:lbrags...@gmail.com>>
> To: "OpenStack Development Mailing List (not for usage
questions)"
> <_openstack-dev@lists.openstack.org_
<mailto:openstack-dev@lists.openstack.org>>
> Date: 2015/08/04 01:49 PM
> Subject: Re: [openstack-dev] [Keystone] [Horizon]
Federated Login
>
>
------------------------------------------------------------------------
>
>
>
>
>
> On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish
<_drf...@us.ibm.com_
> <mailto:_drf...@us.ibm.com_ <mailto:drf...@us.ibm.com>>>
wrote:
>
> Hi David,
>
> This is a cool looking UI. I've made a minor comment
on it in InVision.
>
> I'm curious if this is an implementable idea - does
keystone support
> large
> numbers of 3rd party idps? is there an API to retreive
the list of
> idps or
> does this require carefully coordinated configuration
between
> Horizon and
> Keystone so they both recognize the same list of idps?
>
>
> There is an API call for getting a list of Identity
Providers from Keystone
>
>
__http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers__
>
>
>
> Doug Fish
>
>
> David Chadwick <_d.w.chadw...@kent.ac.uk_
> <mailto:_d.w.chadw...@kent.ac.uk_
<mailto:d.w.chadw...@kent.ac.uk>>> wrote on 08/01/2015
06:01:48 AM:
>
> > From: David Chadwick <_d.w.chadw...@kent.ac.uk_
> <mailto:_d.w.chadw...@kent.ac.uk_
<mailto:d.w.chadw...@kent.ac.uk>>>
> > To: OpenStack Development Mailing List
> <_openstack-dev@lists.openstack.org_
> <mailto:_openstack-dev@lists.openstack.org_
<mailto:openstack-dev@lists.openstack.org>>>
> > Date: 08/01/2015 06:05 AM
> > Subject: [openstack-dev] [Keystone] [Horizon]
Federated Login
> >
> > Hi Everyone
> >
> > I have a student building a GUI for federated login
with Horizon. The
> > interface supports both a drop down list of
configured IDPs, and also
> > Type Ahead for massive federations with hundreds of
IdPs. Screenshots
> > are visible in InVision here
> >
> > __https://invis.io/HQ3QN2123__
> >
> > All comments on the design are appreciated. You can
make them directly
> > to the screens via InVision
> >
> > Regards
> >
> > David
> >
> >
> >
> >
>
__________________________________________________________________________
> > OpenStack Development Mailing List (not for usage
questions)
> > Unsubscribe:_
>
___openstack-dev-requ...@lists.openstack.org?subject:unsubscribe__
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_>
>
<_http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_>
> >
__http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__
> >
>
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage
questions)
> Unsubscribe:
>
__openstack-dev-requ...@lists.openstack.org?subject:unsubscribe__
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_>
>
<_http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_>_
>
___http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
_openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
>
_http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>
>
>
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
_openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
>
_http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
_openstack-dev-requ...@lists.openstack.org?subject:unsubscribe_
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
_http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev