Hi,
On Sun, 2018-11-25 at 14:48 +0200, Alexander Bokovoy wrote:
1) SAML
>
> As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
> Keycloak is the way to go, right?
No. Both Ipsilon and Keycloak are healthy and kicking well. Ipsilon
is
what Fedora Project's FAS service is built upon.
Oh, but the RHEL 7.5 release notes say:
Red Hat Access plug-in for IdM is discontinued
The Red Hat Access plug-in for Identity Management (IdM) was removed
in Red Hat Enterprise Linux 7.3. During the update, the redhat-
access-plugin-ipa package is automatically uninstalled. Features
previously provided by the plug-in, such as Knowledgebase access and
support case engagement, are still available through the Red Hat
Customer Portal. Red Hat recommends to explore alternatives, such as
the redhat-support-tool tool.
The Ipsilon identity provider service for federated single sign-on
The ipsilon packages were introduced as Technology Preview in Red Hat
Enterprise Linux 7.2. Ipsilon links authentication providers and
applications or utilities to allow for single sign-on (SSO).
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a
fully supported feature. The ipsilon packages will be removed from
Red Hat Enterprise Linux in a future minor release.
Red Hat has released Red Hat Single Sign-On as a web SSO solution
based on the Keycloak community project. Red Hat Single Sign-On
provides greater capabilities than Ipsilon and is designated as the
standard web SSO solution across the Red Hat product portfolio.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
and there have been no commits to the Ipsilon repo in a year...
> However, Keycloak setup is not trivial, correct? Running CentOS
> there
> is no straightforward way to install and integrate it with a
> FreeIPA
> domain, correct?
Not correct either. With current Keycloak release there is a detailed
(and fairly simple) instruction:
https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
For OpenShift-based deployment Fraser did a blog:
https://frasertweedale.github.io/blog-redhat/posts/2017-09-04-keycloak-op...
I mean it still requires a sizable amount of elbow grease. I think
there is no systemd unit file, it doesn't come as an RPM which can be
easily upgraded, etc.
Even if Ipsilon is phased out I think I'll try again. IIRC, I had an
issue doing a test run, read about Keycloak being the future and gave
up quickly. RHEL 7 is still good for a few years, so maybe I have an
alternative solution on RHEL 8 when it dies.
> 2) SSO
>
> What is the special sauce for users using a browser on an IPA-
> joined
> system to log in to apps without even seeing a login form? SPNEGO?
>
> I'm using mod_auth_gssapi for some apps, having httpd do the
> authentication and forward it through REMOTE_USER, but it doesn't
> do
> the magic. There are some hints on mod_auth_gssapi's docs, but
> nothing
> really clear.
Clients need to be configured to accept and allow Negotiate
authentication. My recommendation (and the one we applied to browsers
in
Fedora) is to set your
network.negotiate-auth.trusted-uris
to
https://
The logic in Firefox is to match a substring from what is in
network.negotiate-auth.trusted-uri setting. Setting it to allow
negotiate on any HTTPS site is enough. If the site offers Negotiate
authentication, browser will attempt to obtain a Kerberos service
ticket
to that site. If that is not possible (KDC doesn't know about the
host),
Negotiate authentication will not continue and the site will never
know
a Negotiate authentication was attempted but failed.
That's how my Firefox in FC28-29 was configured OOB, but while it works
perfectly on the IPA web interface, an httpd site which has:
<Location />
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/xxx.keytab
GssapiBasicAuth On
require valid-user
</Location>
does perfect validation, but no SSO.
> 3) How should you deliver apps?
>
> Suppose you are a web app developer and you want to deliver a web
> application which can easily integrate with FreeIPA. What's the
> most
> comfortable option you can give? (assuming, for instance, that you
> want
> the SSO magic sauce). Is there any difference between apps that
> will
> run on the FreeIPA's domain owner's systems or third party apps?
I don't think there is any difference. From the perspective of a
client
browser, authentication happens between the client and the SSO host,
not
the web app. So strictly speaking, only SSO host needs to be
enrolled. A
client system needs to be able to operate with Kerberos to obtain the
tickets automatically for SSO but it is not necessary as user could
enter his/her credentials instead.
How SSO framework does authenticate the web app is totally separate.
For
example, I run HackMD app with authentication handled against my own
FreeIPA via Ipsilon. HackMD uses OAuth OpenID Connect against Ipsilon
and is
totally disconnected from FreeIPA view of the users, their
authentication, etc. All it knows is what Ipsilon OAuth OpenID
Connect
assertion tells about the user.
I was thinking whether it was preferrable to target REMOTE_USER and
have httpd do the auth or use something like OAuth, which I guess is
preferrable.
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_)
http://alex.corcoles.net/