| 9 Mar 2024 |
 hexa | makes sense | 01:50:28 |
 raitobezarius | Even in the same organization, when there's multiple authorities with separated infrastructure, federation makes a bunch of political stuff easier | 01:50:53 |
| raitobezarius | Because you don't get to enforce / assert LDAP ownership | 01:51:04 |
| raitobezarius | First party native application login via OIDC is being removed in https://oauth.net/2.1/ | 01:51:34 |
| raitobezarius | Which means that you always have to pop up that web page when logging in via OIDC in any native app | 01:51:49 |
| raitobezarius | How to log out users in OIDC is very interesting (again a consequence of authorization protocol being used for auth) | 01:52:25 |
| raitobezarius | so there's this spec https://openid.net/specs/openid-connect-frontchannel-1_0.html | 01:52:29 |
| raitobezarius | which almost no one implement | 01:52:32 |
| raitobezarius | which means that for example if you login to circleci via github, log out from github, you are still logged in in circleci | 01:52:44 |
| raitobezarius | Auth0 who handles a lot of stuff for you has very fun documentation on it: https://auth0.com/docs/manage-users/sessions/session-layers#session-logout | 01:53:05 |
| raitobezarius | They have always 3 sessions to manage this sort of stuff | 01:53:15 |
| hexa | yeah, that is a can of worms, agreed | 01:53:25 |
| hexa | but does that really justify the added complexity for saml? | 01:53:42 |
| hexa | like why would you even say you prefer it? | 01:53:51 |
| hexa | your neither a government, nor a university, nor a global conglomerate | 01:54:06 |
| raitobezarius | (well I worked for :P) | 01:54:23 |
| raitobezarius | And honestly every time I tried to replicate certain setups with OIDC, it made me appreciate the thoughtfulness of the SAML design | 01:54:43 |
| hexa | pretty sure people go for saml for poltiical or structural reasons only | 01:54:52 |
| raitobezarius | Now, my position is more I wish there were Kanidm for SAML | 01:54:54 |
| raitobezarius | And I'd probably use more SAML in my infrastructure if I could do that | 01:55:06 |
| hexa | keycloak? 😛 | 01:55:16 |
| raitobezarius | Keycloak does not know how to implement SAML | 01:55:22 |
| hexa | who does though? 😄 | 01:55:36 |
| raitobezarius | don't tell me 'see?' :D | 01:55:37 |
| raitobezarius | In reply to @hexa:lossy.network
who does though? 😄 Well, Apereo folks does OK things in that area | 01:55:49 |
| hexa | so CAS? | 01:55:59 |
| raitobezarius | It's honest even though I hate Java Enterprise | 01:56:37 |
| raitobezarius | (it hurts me to say it ok) | 01:56:49 |
| hexa | ❯ rg apereo
pkgs/development/php-packages/phing/composer.lock
4672: "apereo/phpcas": "<1.6",
| 01:57:03 |
| hexa | 🤡 | 01:57:08 |
