That’s good news! Moving off direct LDAP definitely makes us safer.
I’m not sure if our django python module for OIDC (an authentication standard) works with django 1.11.x or not though you can try/find it there: https://github.com/mozilla/mozilla-django-oidc/
Otherwise, another easy alternative is to setup an authentication proxy in front of elmo. The proxy takes care of all this and can pass HTTP headers for elmo to read, such as the username that was authenticated and their groups. Here’s an example setup https://github.com/mozilla-iam/mozilla.oidc.accessproxy
In both cases you’ll need a set of identifiers (client_id and client_secret) that you can request here: https://mozilla.service-now.com/sp?id=sc_cat_item&sys_id=1e9746c20f76aa0087591d2be1050ecb - note that it sounds like you can indicate in this request what the audience should be (such as LDAP staff + contributors, but you can also choose to allow people without LDAP accounts in as well)
There are other possible alternatives, though these are the most popular/easier to get going.
Update: @Pike and I just had a conversation. Step 1 is about elmo, not pontoon. But it’s a start and would potentially open the path of getting pontoon onto Mozilla IAM.
