date:20200702

Re: [Pki-devel] SSO

2020-07-02 Thread Fraser Tweedale

On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
> There's a proposal for GSS-API auth:
> 
> https://www.dogtagpki.org/wiki/GSS-API_authentication
> https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> 
> However, it isn't implemented yet. This would probably suffice for
> SSO though.
> 
Although the design doc is called GSS-API Authentication, the
feature is actually a more general than that.  If you put Dogtag
behind a web frontend (e.g. Apache), you can authenticate users via
SAML or OIDC and convey the appropriate environment variables, and
it will work.  Dogtag just sees an external principal and their
groups conveyed via AJP request attributes.

Cheers,
Fraser

> 
> 
> My 2c,
> 
> - Alex
> 
> - Original Message -
> > From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
> > To: "Pascal Jakobi" 
> > Cc: pki-devel@redhat.com
> > Sent: Thursday, July 2, 2020 11:18:53 AM
> > Subject: Re: [Pki-devel] SSO
> > 
> > Pascal,
> > 
> > I don't think Dogtag Web UI supports it. The feature you are suggesting
> > (sounds to me like it) requires a full fledged IDM deployment. You can look
> > at FreeIPA, if you are looking for MFA.
> > 
> > FreeIPA  uses Dogtag CA as its backend
> > to issue certs and also combines several other components to offer a
> > full-fledged IDM deployment.
> > 
> > Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> > thoughts.
> > 
> > Regards,
> > --Dinesh
> > 
> > On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
> > wrote:
> > 
> > > Dinesh
> > >
> > > In fact all I am doing here is in order to offer a GUI that may be used
> > > with OpenId Connect (ie Keycloak or so...). The value of this is that it 
> > > is
> > > much more flexible than certificate based authentication. You can have 
> > > MFA,
> > > etc
> > >
> > > So my question : is there a way to remove the certificate based access
> > > control in Dogtag's UI ? I would replace it with a tomcat valve that
> > > provides OIDC support.
> > >
> > > Best
> > > --
> > > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > > pascal.jak...@gmail.com - +33 6 87 47 58 19
> > >
> > 
> > ___
> > Pki-devel mailing list
> > Pki-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

2020-07-02 Thread Alex Scheel

Sure, but what you'd have to do is similar in both cases:

 - Extend Dogtag's user model to include external authentication sources,
 - Allow Dogtag to lookup users based on Tomcat's auth handler.

In both GSS-API and OIDC, you need a way of mapping users to Dogtag's ACL
model, that doesn't currently exist for anything but Dogtag's internal users
and cert-auth capability.

- A

- Original Message -
> From: "Pascal Jakobi" 
> To: "Alex Scheel" 
> Sent: Thursday, July 2, 2020 11:39:32 AM
> Subject: Re: [Pki-devel] SSO
> 
> GSS support was a good idea before.
> 
> Now the real solution for web SSO is OIDC, I believe.
> 
> Le 02/07/2020 à 17:35, Alex Scheel a écrit :
> > There's a proposal for GSS-API auth:
> >
> > https://www.dogtagpki.org/wiki/GSS-API_authentication
> > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> >
> > However, it isn't implemented yet. This would probably suffice for
> > SSO though.
> >
> >
> >
> > My 2c,
> >
> > - Alex
> >
> > - Original Message -
> >> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
> >> To: "Pascal Jakobi" 
> >> Cc: pki-devel@redhat.com
> >> Sent: Thursday, July 2, 2020 11:18:53 AM
> >> Subject: Re: [Pki-devel] SSO
> >>
> >> Pascal,
> >>
> >> I don't think Dogtag Web UI supports it. The feature you are suggesting
> >> (sounds to me like it) requires a full fledged IDM deployment. You can
> >> look
> >> at FreeIPA, if you are looking for MFA.
> >>
> >> FreeIPA  uses Dogtag CA as its backend
> >> to issue certs and also combines several other components to offer a
> >> full-fledged IDM deployment.
> >>
> >> Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> >> thoughts.
> >>
> >> Regards,
> >> --Dinesh
> >>
> >> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
> >> wrote:
> >>
> >>> Dinesh
> >>>
> >>> In fact all I am doing here is in order to offer a GUI that may be used
> >>> with OpenId Connect (ie Keycloak or so...). The value of this is that it
> >>> is
> >>> much more flexible than certificate based authentication. You can have
> >>> MFA,
> >>> etc
> >>>
> >>> So my question : is there a way to remove the certificate based access
> >>> control in Dogtag's UI ? I would replace it with a tomcat valve that
> >>> provides OIDC support.
> >>>
> >>> Best
> >>> --
> >>> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> >>> pascal.jak...@gmail.com - +33 6 87 47 58 19
> >>>
> >> ___
> >> Pki-devel mailing list
> >> Pki-devel@redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-devel
> --
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jak...@gmail.com - +33 6 87 47 58 19
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

2020-07-02 Thread Pascal Jakobi


No, it does not require IPA.

It does require something as Keycloak or equivalent (an OpenID Connect 
Provider).


Generally those OPs provide features such as MFA or Identity Federation.

And there are valves that provide OIDC support on the application side.

Best

P

Le 02/07/2020 à 17:18, Dinesh Prasanth Moluguwan Krishnamoorthy a écrit :

Pascal,

I don't think Dogtag Web UI supports it. The feature you are 
suggesting (sounds to me like it) requires a full fledged IDM 
deployment. You can look at FreeIPA, if you are looking for MFA.


FreeIPA  uses Dogtag CA as its 
backend to issue certs and also combines several other components to 
offer a full-fledged IDM deployment.


Nonetheless, I'm CC'ing pki-devel to see if other developers have any 
thoughts.


Regards,
--Dinesh

On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi > wrote:


Dinesh

In fact all I am doing here is in order to offer a GUI that may be
used with OpenId Connect (ie Keycloak or so...). The value of this
is that it is much more flexible than certificate based
authentication. You can have MFA, etc

So my question : is there a way to remove the certificate based
access control in Dogtag's UI ? I would replace it with a tomcat
valve that provides OIDC support.

Best

-- 
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France

pascal.jak...@gmail.com  - +33 6
87 47 58 19


--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jak...@gmail.com - +33 6 87 47 58 19
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

2020-07-02 Thread Alex Scheel

There's a proposal for GSS-API auth:

https://www.dogtagpki.org/wiki/GSS-API_authentication
https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

However, it isn't implemented yet. This would probably suffice for
SSO though.



My 2c,

- Alex

- Original Message -
> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
> To: "Pascal Jakobi" 
> Cc: pki-devel@redhat.com
> Sent: Thursday, July 2, 2020 11:18:53 AM
> Subject: Re: [Pki-devel] SSO
> 
> Pascal,
> 
> I don't think Dogtag Web UI supports it. The feature you are suggesting
> (sounds to me like it) requires a full fledged IDM deployment. You can look
> at FreeIPA, if you are looking for MFA.
> 
> FreeIPA  uses Dogtag CA as its backend
> to issue certs and also combines several other components to offer a
> full-fledged IDM deployment.
> 
> Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> thoughts.
> 
> Regards,
> --Dinesh
> 
> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
> wrote:
> 
> > Dinesh
> >
> > In fact all I am doing here is in order to offer a GUI that may be used
> > with OpenId Connect (ie Keycloak or so...). The value of this is that it is
> > much more flexible than certificate based authentication. You can have MFA,
> > etc
> >
> > So my question : is there a way to remove the certificate based access
> > control in Dogtag's UI ? I would replace it with a tomcat valve that
> > provides OIDC support.
> >
> > Best
> > --
> > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > pascal.jak...@gmail.com - +33 6 87 47 58 19
> >
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

2020-07-02 Thread Dinesh Prasanth Moluguwan Krishnamoorthy

Pascal,

I don't think Dogtag Web UI supports it. The feature you are suggesting
(sounds to me like it) requires a full fledged IDM deployment. You can look
at FreeIPA, if you are looking for MFA.

FreeIPA  uses Dogtag CA as its backend
to issue certs and also combines several other components to offer a
full-fledged IDM deployment.

Nonetheless, I'm CC'ing pki-devel to see if other developers have any
thoughts.

Regards,
--Dinesh

On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
wrote:

> Dinesh
>
> In fact all I am doing here is in order to offer a GUI that may be used
> with OpenId Connect (ie Keycloak or so...). The value of this is that it is
> much more flexible than certificate based authentication. You can have MFA,
> etc
>
> So my question : is there a way to remove the certificate based access
> control in Dogtag's UI ? I would replace it with a tomcat valve that
> provides OIDC support.
>
> Best
> --
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jak...@gmail.com - +33 6 87 47 58 19
>
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [CRON] Errored: dogtagpki/pki-nightly-test#764 (master - 2a95153)

2020-07-02 Thread Travis CI

Build Update for dogtagpki/pki-nightly-test
-

Build: #764
Status: Errored

Duration: 15 mins and 46 secs
Commit: 2a95153 (master)
Author: Dinesh Prasanth M K
Message: Remove EOL F29 from matrix and add support for v10.8 branch

Signed-off-by: Dinesh Prasanth M K 

View the changeset: 
https://github.com/dogtagpki/pki-nightly-test/compare/1cec22733aad03cad1e589a08281f4a2db79ec90...2a95153102234446e6beb5d4074ae6eebd760fb3

View the full build log and details: 
https://travis-ci.org/github/dogtagpki/pki-nightly-test/builds/704323648?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the dogtagpki/pki-nightly-test 
repository going to 
https://travis-ci.org/account/preferences/unsubscribe?repository=20325727_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

Re: [Pki-devel] SSO

Re: [Pki-devel] SSO

Re: [Pki-devel] SSO

Re: [Pki-devel] SSO

[Pki-devel] [CRON] Errored: dogtagpki/pki-nightly-test#764 (master - 2a95153)

6 matches

Site Navigation

Mail list logo

Footer information