On Fri, Jul 03, 2020 at 11:11:17AM +0200, Pascal Jakobi wrote:
I would be interested into trying this.
1/ Is there a list of the "environment variables" (I guess these are HTML
headers) that dogtag needs ? Did not find it....
2/ If I set an Apache reverse proxy, do I still need to insert an admin
certificate in the browser's wallet ?
No certificate is required.
You must use AJP protocol between Apache and pki-tomcatd. It is
recommended to set an AJP shared secret because pki-tomcatd has
absolute trust in whatever data comes over AJP.
The AJP variables to set are:
- REMOTE_USER
- REMOTE_USER_GROUP_N (number of groups)
- REMOTE_USER_GROUP_$i (for $i in 0..N)
REMOTE_USER should get set automatically by mod_proxy_ajp. For the
other variable, prepend "AJP_" when setting the Apache environment
variable, so that AJP will pick it up. See [1] for an example.
[1]
https://www.dogtagpki.org/wiki/GSS-API_authentication#Example_SSSD_and_Ap...
Now that I am paging all of this back into my head, there is a
possible challenge. For externally authenticated principals, the
set of ACLs to use for authorisation is looked up based on the
"realm" of the principal.
It would be fairly straightforward to implement another way of
conveying the realm, e.g. via an AJP variable. But the current
implementation takes the realm from the principal name (i.e. the
value of REMOTE_USER). The realm is whatever follows the '@'. So
if REMOTE_USER is an email address and everyone has the same domain,
this could work with the current code. Otherwise, we'll need to
make changes.
All that said, providing an alternative way of specifying the realm
is a small RFE with a big payoff.
HTH,
Fraser
Thanks !
P
Le 03/07/2020 à 05:05, Fraser Tweedale a écrit :
> On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
> > There's a proposal for GSS-API auth:
> >
> >
https://www.dogtagpki.org/wiki/GSS-API_authentication
> >
https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> >
> > However, it isn't implemented yet. This would probably suffice for
> > SSO though.
> >
> Although the design doc is called GSS-API Authentication, the
> feature is actually a more general than that. If you put Dogtag
> behind a web frontend (e.g. Apache), you can authenticate users via
> SAML or OIDC and convey the appropriate environment variables, and
> it will work. Dogtag just sees an external principal and their
> groups conveyed via AJP request attributes.
>
> Cheers,
> Fraser
>
> >
> > My 2c,
> >
> > - Alex
> >
> > ----- Original Message -----
> > > From: "Dinesh Prasanth Moluguwan Krishnamoorthy"
<dmoluguw(a)redhat.com>
> > > To: "Pascal Jakobi" <pascal.jakobi(a)gmail.com>
> > > Cc: pki-devel(a)redhat.com
> > > Sent: Thursday, July 2, 2020 11:18:53 AM
> > > Subject: Re: [Pki-devel] SSO
> > >
> > > Pascal,
> > >
> > > I don't think Dogtag Web UI supports it. The feature you are
suggesting
> > > (sounds to me like it) requires a full fledged IDM deployment. You can
look
> > > at FreeIPA, if you are looking for MFA.
> > >
> > > FreeIPA <
https://www.freeipa.org/page/About> uses Dogtag CA as its
backend
> > > to issue certs and also combines several other components to offer a
> > > full-fledged IDM deployment.
> > >
> > > Nonetheless, I'm CC'ing pki-devel to see if other developers have
any
> > > thoughts.
> > >
> > > Regards,
> > > --Dinesh
> > >
> > > On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi
<pascal.jakobi(a)gmail.com>
> > > wrote:
> > >
> > > > Dinesh
> > > >
> > > > In fact all I am doing here is in order to offer a GUI that may be
used
> > > > with OpenId Connect (ie Keycloak or so...). The value of this is that
it is
> > > > much more flexible than certificate based authentication. You can
have MFA,
> > > > etc....
> > > >
> > > > So my question : is there a way to remove the certificate based
access
> > > > control in Dogtag's UI ? I would replace it with a tomcat valve
that
> > > > provides OIDC support.
> > > >
> > > > Best
> > > > --
> > > > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > > > pascal.jakobi(a)gmail.com - +33 6 87 47 58 19
> > > >
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel(a)redhat.com
> > >
https://www.redhat.com/mailman/listinfo/pki-devel
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/pki-devel
--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jakobi(a)gmail.com - +33 6 87 47 58 19