What I Learned This Week

On Mozilla’s identity and access management (IAM) initiatives

(Cross-post from Mozilla’s discourse.)

Introduction

This document describes some of Mozilla’s activities in response to the decommissioning of Persona. It describes the change taking place in many of our web properties. Additionally the document provides a short overview on Mozilla’s broader identity and access management (IAM) initiatives.

Summary (TL;DR)

  • Persona will be decommissioned on NOV 30, 2016.
  • Our new authentication provider is built with Auth0 at its core.
  • All Participation Systems properties (reps.mozilla.org, mozillians.org, moderator.mozilla.org and others) will be using Auth0 moving forward.
  • Using this new authentication provider, Mozilla will transition many of its web properties that use Persona today to provide both
    • password-less email login for all profiles on Mozillians.org and
    • LDAP login for staff.
    • Additionally, some web properties will offer select social logins (e.g. Google, GitHub).
  • Moving into 2017, Mozillians.org will be fully integrated with Mozilla’s LDAP. This will enable volunteers and paid staff to collaborate using some of the same platforms and tools.

Persona Replacement (aka IAM Package B)

As previously mentioned on mozilla.dev.identity [Jan 12 2016 and Oct 13 2016], Persona is slated for decommissioning on November 30th, 2016.

Mozilla will not offer a public-facing authentication service like Persona after November 30th. Information for website owners to migrate their sites away from persona.org can be found on the wiki.

Many of Mozilla’s web properties (some of them listed below) will replace Persona with a new authentication provider based on Auth0. This means that Mozillians will be able to authenticate on many Mozilla sites using password-less email login, or select social logins (e.g. Google, GitHub). Staff members can continue to use their LDAP credentials on these sites. This transition includes, but is not limited to: Mozillians.org, Discourse, Moderator, Reps Portal, and Air Mozilla.

For the web properties maintained by the Participation Systems team (Discourse, Moderator, Mozillians.org, Reps Portal) this bucket of work is often referred to as “IAM Package B” and can be tracked on the team’s Kanban board. Package A was a technical proof of concept which successfully ended in September 2016.

Mozillians.org LDAP Integration (aka IAM Package C)

Looking towards 2017 we plan to integrate Mozillians.org with LDAP, to facilitate group management and access control for both paid staff and volunteers. This endeavor is often referred to as “IAM Package C”. Connecting these two systems will allow us to offer a single access management system for all Mozillians, volunteers as well as paid staff. We are still designing this new system and will share additional details in the coming months.

This groundwork will eventually allow us to differentiate collaboration tools’ access levels based on project needs instead of employment status. Think about the ability to provide document access to a hybrid project group of volunteer and staff contributors. This is a natural next step in our work as a radically participatory organization.

Feedback welcome!

This article hopefully provided insight into Mozilla’s currently running and planned activities around identity and access management. We invite you to continue the conversation at this discourse post.