Pki-devel July 2020

devel@lists.dogtagpki.org

5 participants
33 discussions

by Dinesh Prasanth Moluguwan Krishnamoorthy

Pascal, I don't think Dogtag Web UI supports it. The feature you are suggesting (sounds to me like it) requires a full fledged IDM deployment. You can look at FreeIPA, if you are looking for MFA. FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend to issue certs and also combines several other components to offer a full-fledged IDM deployment. Nonetheless, I'm CC'ing pki-devel to see if other developers have any thoughts. Regards, --Dinesh On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jakobi(a)gmail.com> wrote: > Dinesh > > In fact all I am doing here is in order to offer a GUI that may be used > with OpenId Connect (ie Keycloak or so...). The value of this is that it is > much more flexible than certificate based authentication. You can have MFA, > etc.... > > So my question : is there a way to remove the certificate based access > control in Dogtag's UI ? I would replace it with a tomcat valve that > provides OIDC support. > > Best > -- > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France > pascal.jakobi(a)gmail.com - +33 6 87 47 58 19 >

3 years, 9 months

4
5
0 / 0

Re: [Pki-devel] SSO

by Alex Scheel

Sure, but what you'd have to do is similar in both cases: - Extend Dogtag's user model to include external authentication sources, - Allow Dogtag to lookup users based on Tomcat's auth handler. In both GSS-API and OIDC, you need a way of mapping users to Dogtag's ACL model, that doesn't currently exist for anything but Dogtag's internal users and cert-auth capability. - A ----- Original Message ----- > From: "Pascal Jakobi" <pascal.jakobi(a)gmail.com> > To: "Alex Scheel" <ascheel(a)redhat.com> > Sent: Thursday, July 2, 2020 11:39:32 AM > Subject: Re: [Pki-devel] SSO > > GSS support was a good idea before. > > Now the real solution for web SSO is OIDC, I believe. > > Le 02/07/2020 à 17:35, Alex Scheel a écrit : > > There's a proposal for GSS-API auth: > > > > https://www.dogtagpki.org/wiki/GSS-API_authentication > > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication > > > > However, it isn't implemented yet. This would probably suffice for > > SSO though. > > > > > > > > My 2c, > > > > - Alex > > > > ----- Original Message ----- > >> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" <dmoluguw(a)redhat.com> > >> To: "Pascal Jakobi" <pascal.jakobi(a)gmail.com> > >> Cc: pki-devel(a)redhat.com > >> Sent: Thursday, July 2, 2020 11:18:53 AM > >> Subject: Re: [Pki-devel] SSO > >> > >> Pascal, > >> > >> I don't think Dogtag Web UI supports it. The feature you are suggesting > >> (sounds to me like it) requires a full fledged IDM deployment. You can > >> look > >> at FreeIPA, if you are looking for MFA. > >> > >> FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend > >> to issue certs and also combines several other components to offer a > >> full-fledged IDM deployment. > >> > >> Nonetheless, I'm CC'ing pki-devel to see if other developers have any > >> thoughts. > >> > >> Regards, > >> --Dinesh > >> > >> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jakobi(a)gmail.com> > >> wrote: > >> > >>> Dinesh > >>> > >>> In fact all I am doing here is in order to offer a GUI that may be used > >>> with OpenId Connect (ie Keycloak or so...). The value of this is that it > >>> is > >>> much more flexible than certificate based authentication. You can have > >>> MFA, > >>> etc.... > >>> > >>> So my question : is there a way to remove the certificate based access > >>> control in Dogtag's UI ? I would replace it with a tomcat valve that > >>> provides OIDC support. > >>> > >>> Best > >>> -- > >>> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France > >>> pascal.jakobi(a)gmail.com - +33 6 87 47 58 19 > >>> > >> _______________________________________________ > >> Pki-devel mailing list > >> Pki-devel(a)redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-devel > -- > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France > pascal.jakobi(a)gmail.com - +33 6 87 47 58 19 >

3 years, 9 months

1
0
0 / 0

[CRON] Errored: dogtagpki/pki-nightly-test#764 (master - 2a95153)

by Travis CI

Build Update for dogtagpki/pki-nightly-test ------------------------------------- Build: #764 Status: Errored Duration: 15 mins and 46 secs Commit: 2a95153 (master) Author: Dinesh Prasanth M K Message: Remove EOL F29 from matrix and add support for v10.8 branch Signed-off-by: Dinesh Prasanth M K <dmoluguw(a)redhat.com> View the changeset: https://github.com/dogtagpki/pki-nightly-test/compare/1cec22733aad03cad1e... View the full build log and details: https://travis-ci.org/github/dogtagpki/pki-nightly-test/builds/704323648?... -- You can unsubscribe from build emails from the dogtagpki/pki-nightly-test repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=20325727.... Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notifica.... Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.

3 years, 9 months

1
0
0 / 0

← Newer
1
2
3
4
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel July 2020