Sure, but what you'd have to do is similar in both cases: - Extend Dogtag's user model to include external authentication sources, - Allow Dogtag to lookup users based on Tomcat's auth handler.
In both GSS-API and OIDC, you need a way of mapping users to Dogtag's ACL model, that doesn't currently exist for anything but Dogtag's internal users and cert-auth capability. - A ----- Original Message ----- > From: "Pascal Jakobi" <pascal.jak...@gmail.com> > To: "Alex Scheel" <asch...@redhat.com> > Sent: Thursday, July 2, 2020 11:39:32 AM > Subject: Re: [Pki-devel] SSO > > GSS support was a good idea before. > > Now the real solution for web SSO is OIDC, I believe. > > Le 02/07/2020 à 17:35, Alex Scheel a écrit : > > There's a proposal for GSS-API auth: > > > > https://www.dogtagpki.org/wiki/GSS-API_authentication > > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > > > However, it isn't implemented yet. This would probably suffice for > > SSO though. > > > > > > > > My 2c, > > > > - Alex > > > > ----- Original Message ----- > >> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" <dmolu...@redhat.com> > >> To: "Pascal Jakobi" <pascal.jak...@gmail.com> > >> Cc: pki-devel@redhat.com > >> Sent: Thursday, July 2, 2020 11:18:53 AM > >> Subject: Re: [Pki-devel] SSO > >> > >> Pascal, > >> > >> I don't think Dogtag Web UI supports it. The feature you are suggesting > >> (sounds to me like it) requires a full fledged IDM deployment. You can > >> look > >> at FreeIPA, if you are looking for MFA. > >> > >> FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend > >> to issue certs and also combines several other components to offer a > >> full-fledged IDM deployment. > >> > >> Nonetheless, I'm CC'ing pki-devel to see if other developers have any > >> thoughts. > >> > >> Regards, > >> --Dinesh > >> > >> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jak...@gmail.com> > >> wrote: > >> > >>> Dinesh > >>> > >>> In fact all I am doing here is in order to offer a GUI that may be used > >>> with OpenId Connect (ie Keycloak or so...). The value of this is that it > >>> is > >>> much more flexible than certificate based authentication. You can have > >>> MFA, > >>> etc.... > >>> > >>> So my question : is there a way to remove the certificate based access > >>> control in Dogtag's UI ? I would replace it with a tomcat valve that > >>> provides OIDC support. > >>> > >>> Best > >>> -- > >>> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France > >>> pascal.jak...@gmail.com - +33 6 87 47 58 19 > >>> > >> _______________________________________________ > >> Pki-devel mailing list > >> Pki-devel@redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-devel > -- > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France > pascal.jak...@gmail.com - +33 6 87 47 58 19 > _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel