Closed Bug 907492 Opened 12 years ago Closed 9 years ago

SAML / Persona bridge?

Categories

(Cloud Services :: Server: Identity, defect)

Product:
Cloud Services
Component:
Server: Identity
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: nmaul, Unassigned)

Details

(Whiteboard: [qa-])

Is this a possibility? Many of our SaaS systems that we pay for have built-in support for "Single Sign-On" through SAML. If we can hook that up to Persona somehow, that could potentially get us a fair number of systems/services done relatively easily. We can already do them directly to LDAP (that's how ServiceNow works), but that's non-ideal (for security reasons mainly). It'd be nicer to go to Persona.
Whiteboard: [qa-]
In general, file a github issue against mozilla/browserid to get some love. Sorry noone has responded. Two answers: 1) I think we've offered up an Apache module as a general purpose fix 2) I'm not familiar enough with SAML, but it is quite possible. Is it possible to use SASL-browserid (openldap plugin) to enable ServiceNow and other LDAP backed apps? You can use Mozillians APIs for authorization or a simple check for a whitelist of Mozilla staff domains.
Yep, we are working on an Apache module which should go a long way towards resolving this for our locally-hosted services. However, it won't help for external, 3rd-party systems (Akamai, New Relic, bill.com, ServiceNow, etc... there's 20+ of these). I have set up a SAML identity provider (using SimpleSAMLphp, open-source self-hosted web app), which currently uses LDAP authentication. SAML service providers can be configured to connect to this to provide centralized authentication. I've tried it out using a "testing" SP, and it seems to work properly. SimpleSAMLphp is modular, and supports the creation of custom authentication modules... it should be possible to create a module for Persona, and use that instead, with very little change. I have spoken with Yvan Boily, and he's indicated he has someone on his team that may be able to help with this. Even without Persona integration, I think this could be very nice just tying straight into LDAP. It gives us the ability to do Single-Sign-On with any vendor that supports SAML.
The persona service will be decommissioned later this year, so I'm closing out persona-related bugs
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.