On Sun, 25 Nov 2018, Alex Corcoles via FreeIPA-users wrote:
Hi,
I've read:
https://www.freeipa.org/page/Web_App_Authentication
, but there is some stuff that is not clear to me.
1) SAML
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
No. Both Ipsilon and Keycloak are healthy and kicking well. Ipsilon is
what Fedora Project's FAS service is built upon.
However, Keycloak setup is not trivial, correct? Running CentOS there
is no straightforward way to install and integrate it with a FreeIPA
domain, correct?
Not correct either. With current Keycloak release there is a detailed
(and fairly simple) instruction:
https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
For OpenShift-based deployment Fraser did a blog:
https://frasertweedale.github.io/blog-redhat/posts/2017-09-04-keycloak-openshift.html
2) SSO
What is the special sauce for users using a browser on an IPA-joined
system to log in to apps without even seeing a login form? SPNEGO?
I'm using mod_auth_gssapi for some apps, having httpd do the
authentication and forward it through REMOTE_USER, but it doesn't do
the magic. There are some hints on mod_auth_gssapi's docs, but nothing
really clear.
Clients need to be configured to accept and allow Negotiate
authentication. My recommendation (and the one we applied to browsers in
Fedora) is to set your
network.negotiate-auth.trusted-uris
to
https://
The logic in Firefox is to match a substring from what is in
network.negotiate-auth.trusted-uri setting. Setting it to allow
negotiate on any HTTPS site is enough. If the site offers Negotiate
authentication, browser will attempt to obtain a Kerberos service ticket
to that site. If that is not possible (KDC doesn't know about the host),
Negotiate authentication will not continue and the site will never know
a Negotiate authentication was attempted but failed.
You can achieve the same with Chrome/Chromium.
$ cat /etc/chromium/policies/managed/negotiate.json
{
"AuthServerWhitelist": "*",
}
3) How should you deliver apps?
Suppose you are a web app developer and you want to deliver a web
application which can easily integrate with FreeIPA. What's the most
comfortable option you can give? (assuming, for instance, that you want
the SSO magic sauce). Is there any difference between apps that will
run on the FreeIPA's domain owner's systems or third party apps?
I don't think there is any difference. From the perspective of a client
browser, authentication happens between the client and the SSO host, not
the web app. So strictly speaking, only SSO host needs to be enrolled. A
client system needs to be able to operate with Kerberos to obtain the
tickets automatically for SSO but it is not necessary as user could
enter his/her credentials instead.
How SSO framework does authenticate the web app is totally separate. For
example, I run HackMD app with authentication handled against my own
FreeIPA via Ipsilon. HackMD uses OAuth OpenID Connect against Ipsilon and is
totally disconnected from FreeIPA view of the users, their
authentication, etc. All it knows is what Ipsilon OAuth OpenID Connect
assertion tells about the user.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
