In case we can't transition all users of the federated-login method to use auth0 in time, we should provide a temporary "Login With Auth0" option there. It will return credentials good for only 15 minutes, but that's better than not being able to login at all.

The idea here is kind of a hack, but it's temporary. Right now if you hit /auth0/login or /auth0/login-local, you get a custom lock accepting only passwordless. But if you hit /auth0/callback, you get sent to the hosted Mozilla lock. We'll take advantage of that and allow both passwordless and LDAP logins at that hosted lock. We'll then look at the resulting user profile just like the OIDC handler does, and determine whether it's an email or LDAP login, and generate an appropriate user. As a bonus, the resulting credentials will last 3 days. Then if time gets short, we can switch the "Login with Okta" button on https://login.taskcluster.net to say "Login with Auth0" and link to /auth0/callback, and everything will keep working. But let's not talk out loud about that ;) I filed REQ0051148 to request the LDAP connection be enabled for the tc-login client, 1db5KNoLN5rLZukvLouWwVouPkbztyso. That's a non-interactive client, though, so it might not work -- in which case we'll need a new (short-term) client for this purpose.

It says "Something went wrong. Please contact technical support." right now, so my guess is we'll need a second client. I can't comment on the Hub request (Hub is such a disaster..) so I'll wait until I hear from someone on the IAM team.

Once PR#59 is merged this should be fine. The lock is working now that the client has been updated. I think it will end up leaving a tab open, and it requires the user to click "Sign In with Auth0" then "Sign In with LDAP", but those are just papercuts on a very temporary measure.

Commits pushed to master at https://github.com/taskcluster/taskcluster-login https://github.com/taskcluster/taskcluster-login/commit/ec650562f828b60b60b662e154b671c4582df7b2 Bug 1395574 - support LDAP logins via auth0 This adds support for logins using an LDAP IdP. It doesn't change the UI at all, so users won't use it, but it can be tested by going to https://login.taskcluster.net/auth0/callback, and we can easily enough add a link to that in October if necessary. The identity-matching code is similar to that in `src/handlers/mozilla-auth0.js`. https://github.com/taskcluster/taskcluster-login/commit/8d535d4fbe7c9ef0a2b6cbae6e4ca3a9558c5822 Merge pull request #59 from djmitche/bug1395574 Bug 1395574 - support LDAP logins via auth0

Works great :)