Hello,
I've just fixed sso.debian.org to work again after the upgrade of
diabelli to bullseye.
I however have not used SSO certificates in years and don't intend to.
This means I'm unable to test if certificate authentication still works,
and to effectively maintain the site: I won't be able to do much more to
it than fix Django issues.
Unless some other DD steps in to take over maintenance, I annouce my intention to decommission sso.debian.org by the end of March 2023.
I would welcome better single sign-on systems for Debian than Salsa, and sso.debian.org is not it.
I'm posting this to debian-devel as an early heads-up and a call for
other maintainers. If nobody steps in my the end of October, I'll post a proper sunset announce to debian-devel-announce.
At the present time, I believe this will break DDs logging into tracker.debian.org. I recently had to mess around with client
certificates in order to login there and subscribe to a new package.
I would welcome better single sign-on systems for Debian than Salsa, and sso.debian.org is not it.
We use Keycloak in both at office and in international projects as
backbones of relatively big and federated SSO systems, and it works fine.
It's not very hard to deploy and configure on bare metal. Enabling its
own HTTPS/SSL features are also relatively straightforward.
I'm sure that it can handle a project at the size of Debian. It handles traffic from half of EU (as a part of EGI SSO infrastructure) just fine.
I'm posting this to debian-devel as an early heads-up and a call for
other maintainers. If nobody steps in my the end of October, I'll post a proper sunset announce to debian-devel-announce.
Everyone coming up with solutions, please review the old thread about
that https://lists.debian.org/msgid-search/20200405184610.GA581270@waldi.eu.org
On Mon, Oct 17, 2022 at 11:57 AM Bastian Blank <waldi@debian.org> wrote:
Everyone coming up with solutions, please review the old thread about
that
https://lists.debian.org/msgid-search/20200405184610.GA581270@waldi.eu.org
Keycloak also provides OpenID Connect / OAuth2 and can connect to LDAP >servers - so it is not really "intrusive" in that sense. For websites
using the SSO the switch would probably just changing a URL, which of
course opens the question what the advantage of Keycloak over the
current Gitlab based solution would be. I guess Keycloak integrates
better to LDAP and has more user management tools, but that doesn't
mean the work is worth it. I just wanted to point out a solution in
case we want a new SSO.
Cheers,
Stephan
"Stephan" == Stephan Lachnit <stephanlachnit@debian.org> writes:
I think the minimal solution here, which I'm not volunteering to do,
is
for tracker.debian.org to gain salsa sso support instead of client
cert
support.
That
* Gives us a second source of sso
* still leaves tracker wanting to consume client certs
* As far as I can tell keycloak can consume but not produce client certs
* Even if it can produce client certs we have all the usability
challenges of client certs
Salsa should be there for git (related) things.
NOT as an identity/login provider for Debian
I think the minimal solution here, which I'm not volunteering to do, is
for tracker.debian.org to gain salsa sso support instead of client cert support.
On Mon, 2022-10-17 at 21:28 +0200, Joerg Jaspert wrote:
Salsa should be there for git (related) things.
NOT as an identity/login provider for Debian
There are already Debian services that do not offer any other option
for auth than Salsa.
Personally I do not like GitLab, Salsa nor OIDC/Oauth2, vastly prefer
TLS client certs and thus usually never use Salsa authed services.
Arguably it is probably a good thing to use Salsa, since it means
services can have an auth option for all of the Debian contributors, including those who are not currently DDs or DMs.
Also lemonldap-ng, already packaged
Am 2022-10-18 04:52, schrieb Paul Wise:
Salsa should be there for git (related) things.
NOT as an identity/login provider for Debian
No, it is a bad, not a good thing, to use Salsa for this.
Salsa is a "repository service" with some added nice features related to them. It is good at that, yay. Fine.
Salsa is really bad as an identity/authentication service. Having a salsa account does NOT mean ANYTHING related to Debian, like DM/DD/whatever.
And thats information that such a service ought to provide too.
It also does not allow any kind of useful management of identities besides "the account is there/blocked/deleted". And so, as soon as you would want to NOT allow someone a login to a service that uses salsa as a login service - you need
to delete their account. Including their repositories and abilities there. Not good.
Salsa should be there for git (related) things.There are already Debian services that do not offer any other option
NOT as an identity/login provider for Debian
for auth than Salsa.
Arguably it is probably a good thing to use Salsa, since it means
services can have an auth option for all of the Debian contributors, including those who are not currently DDs or DMs.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 360 |
Nodes: | 16 (2 / 14) |
Uptime: | 129:12:43 |
Calls: | 7,686 |
Files: | 12,828 |
Messages: | 5,711,155 |