If we shutdown lab and pad, we’re left with a single service, so SSO is not particularly useful.
As suggested during last meeting, it could be nice to share an SSO among librehosters, but if this option is not pursued, so be it.
I’d still be interested in the actual setup on my side to be able to share my SSO with LH SSO (@matronix’s setup), whatever the fate of this service. Some of us might still want to share services even if we don’t have a collective SSO.
That said, maintaining a basic keycloak is not so complicated so it might be useful to keep it running since everybody has been using it so far to connect to the services ; additionally, if we’re moving the repositories to another Gitlab, it would be useful to maintain connectivity from our existing infrastructure to the target Gitlab, so that the move is seamless to the users and they can still have correct group and individual accesses to repositories.
IH also proposed that the LH SSO would become a realm in their own Keycloak. This could be a good solution as well, especially if the lab is moving to their infra, and the connection is then easier to make.
Adding: I may have thought about a situation where it would be preferable to maintain a SSO under the libreho.st banner, namely, data portability. Imagine a member (or customer) of one of the librehosters. They have an account, say at indie.host. They want to use a service from another librehoster, maybe a WireGuard tunnel from Disroot.org. Then they could use the LH SSO to access to their VPN panel at Disroot.
In fact, the more I think about it, the more I find Keycloak (or the SSO in general) a very good way to collaborate. We could have hoster-specific Identity Providers (e.g., a clustered Keycloak installation per Librehoster, or similar/compatible setup) forming a cross-datacenter replicated SSO that would serve as high-availability SSO and cross-ISP service, helping both sysadmins and users to move seamlessly from one host to another depending on their preferences and needs.
That said, I can foresee the technical burden to keep this up while we were not able to coordinate over the last year. I’d rather keep this in mind (and keep LH SSO up in the meantime) and concentrate on sharing other more critical services such as backups.