Menu
▾
▴
Re: [Unity-idm-discuss] Any plans for a PAM usable endpoint?
|
From: Krzysztof B. <go...@ic...> - 2015-01-21 10:37:43
|
Hi Jeroen, W dniu 20.01.2015 o 10:52, Jeroen Roodhart pisze: > Hi Krzysztof, > > Thank you for your clear answer. > > On 20/01/15 10:27, Krzysztof Benedyczak wrote: >> That said such implementation is considered but pretty low on >> priorities list. This is because of minimal usefulness and very big >> effort to implement it. > > Well, I agree that it would be a big effort, though I think it would > be _very_ useful. At the moment there seems to be no way whatsoever to > tie into OAUTH or other such mechanisms on the system level. Having > such a possibility would open up a plethora of possibilities to allow > collaboration between researchers through sharing all kinds of > resources (from compute facilities (not being "cloud") to scientific > measuring equipment). To clarify bit more. I fully agree that a feature to authenticate Linux users with basically anything would be great. But my point was that in many (most? i.e. OAuth & typical SAML) cases it is close to impossible. Developing an automated web parser which will login on user's behalf using an arbitrary login fields on an arbitrary login page - which each and every IdP can have different and usually does have different - is fairly unrealistic. We can do something for some well known providers as Google or FB. My statement that "this is a lot of work" was related merely to the LDAP endpoint in Unity which is needed to create PAM<->Unity link, but is not sufficient as it won't translate non-interactive protocol (LDAP) to any interactive web-browser based protocol (OAuth/SAML SSO). Also simulated&automated web-browser approach brings legal issues as the whole solution would be a hack, killing the principles of OAuth/SAML protocols where the password is not exposed to intermediaries and where a user is directly instructing her IdP to release the information to a particular requester. Simple example: if the IdP asks the user (after login) whether she accepts some new, updated terms and conditions, Unity should click "yes" for the user? Or maybe not? Best regards, Krzysztof |
