I have added the service on IPA and changed on the HBAC rule form "any service"
to "ipsilon", but now I can not login on ipsilon. Also I've checked that
there is no '/etc/pam.d/ipsilon' file.
Thanks & Regards.
-----Original Message-----
From: Alexander Bokovoy <abokovoy(a)redhat.com>
Sent: Tuesday, July 10, 2018 15:31
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: SOLER SANGUESA Miguel <solerm(a)unicc.org>; Rob Crittenden
<rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: How to use HBAC rules on services where is used Ipsion
On ti, 10 heinä 2018, Rob Crittenden via FreeIPA-users wrote:
SOLER SANGUESA Miguel via FreeIPA-users wrote:
>Hello,
>
>RHEL 7.5 with IPA server 4.5.4
>
>RHEL 7.5 with IPA client 4.5.4 for installing Ipsilon from RHEL
>repositories (v1.0.0) and added manually patch:
>https://pagure.io/ipsilon/pull-request/44#request_diff
>
>I have configured Jira with the plugin for SAML2 (SAML Single Sign On
>(SSO) Jira, SAML/SSO
><https://marketplace.atlassian.com/apps/1212130/saml-single-sign-on-ss
>o-jira-saml-sso>) and it works fine, when I try to login on Jira I’m
>redirected to Ipsilon server and when I put user/pass (using IPA user)
>I log in.
>
>My problem is that I don’t know how to configure which users can log
>in on the service. Right now all users able to login on the Ipsilon
>server via “any service” can login.
>
>On Jira side I can create the users manually and configure that just
>existing users can log in, but I would prefer not to manage users on
>the service provider side.
>
>Also I want to add more services to Ipsilon, so not all users allowed
>to log in on Ipsilon should log in on all services.
>
>If I can create a pam service for any of the services managed by
>ipsilon, it would be perfect, as I could create HBAC rules for any
>service and authorization would be manage just on IPA.
>
>Can anyone explain or give some documentation about this?
I forget what pam service is used by Ipsilon by default. I'd suggest
you ask on the ipsilon mailing list or in #ipsilon on freenode.
It is 'ipsilon'.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland