Currently, corporate LDAP, which we use right now, is not a fit for the Mozilla IdP.
tl;dr We must support email aliases in order to launch Moz IDP and we don't have a single system which holds both all email aliases for employees and their credentials. Our LDAP servers don't have a canonical list of all of an employees routable email addresses.
The full story:
Right now, protected internal servers opt into LDAP authentication. Once opted in, any user present in LDAP may authenticate.
With Mozilla IdP, protected servers will instead use Persona for authentication. Effectively, the user will opt into LDAP authentication by providing a mozilla owned domain.
The key difference is this change will make it so that LDAP authentication is in effect for any site that uses Persona, not just those that opt in.
Because now LDAP authentication will be used everywhere on the web where persona is, we must support email aliases, so we do not block mozilla employees from logging into persona enabled websites that they currently authenticate to using an email alias.
The requirement is LDAP Authentication must work for all of an employees routable email addresses that they use at mozilla which end in mozilla controlled domains (mozillafoundation.org, mozilla.com, and a couple others.)
Because the only canonical place these emails are stored is zimbra, it is thought that the mozilla IdP could attempt authentication via IMAP instead of against our canonical LDAP server.
The final issue with the current implementation, is that alias support mostly seems to work, but it allows folks to authenticate with any address added to their account via phonebook. Anyone can add a routeable address to their phonebook entry (provided it is not the canonical LDAP login of anyone else), and then can prove they own it via Moz IdP. This is a security hole which would allow you, in these circumstances, to pretend you are someone you are not in the eyes of persona enabled sites.
Currently, corporate LDAP, which we use right now, is not a fit for the Mozilla IdP.
tl;dr We must support email aliases in order to launch Moz IDP and we don't have a single system which holds both all email aliases for employees and their credentials. Our LDAP servers don't have a canonical list of all of an employees routable email addresses.
The full story:
Right now, protected internal servers opt into LDAP authentication. Once opted in, any user present in LDAP may authenticate.
With Mozilla IdP, protected servers will instead use Persona for authentication. Effectively, the user will opt into LDAP authentication by providing a mozilla owned domain.
The key difference is this change will make it so that LDAP authentication is in effect for any site that uses Persona, not just those that opt in.
Because now LDAP authentication will be used everywhere on the web where persona is, we must support email aliases, so we do not block mozilla employees from logging into persona enabled websites that they currently authenticate to using an email alias.
The requirement is LDAP Authentication must work for all of an employees routable email addresses that they use at mozilla which end in mozilla controlled domains (mozillafoundation.org, mozilla.com, and a couple others.)
Because the only canonical place these emails are stored is zimbra, it is thought that the mozilla IdP could attempt authentication via IMAP instead of against our canonical LDAP server.
The final issue with the current implementation, is that alias support mostly seems to work, but it allows folks to authenticate with any address added to their account via phonebook. Anyone can add a routeable address to their phonebook entry (provided it is not the canonical LDAP login of anyone else), and then can prove they own it via Moz IdP. This is a security hole which would allow you, in these circumstances, to pretend you are someone you are not in the eyes of persona enabled sites.