Re: [Pki-devel] SSO

Thursday, 2 July 2020

Sure, but what you'd have to do is similar in both cases:

 - Extend Dogtag's user model to include external authentication sources,
 - Allow Dogtag to lookup users based on Tomcat's auth handler.

In both GSS-API and OIDC, you need a way of mapping users to Dogtag's ACL
model, that doesn't currently exist for anything but Dogtag's internal users
and cert-auth capability.

- A

----- Original Message -----
...
 From: "Pascal Jakobi" <pascal.jakobi(a)gmail.com&gt;
 To: "Alex Scheel" <ascheel(a)redhat.com&gt;
 Sent: Thursday, July 2, 2020 11:39:32 AM
 Subject: Re: [Pki-devel] SSO

 GSS support was a good idea before.

 Now the real solution for web SSO is OIDC, I believe.

 Le 02/07/2020 à 17:35, Alex Scheel a écrit :
 > There's a proposal for GSS-API auth:
 >
 > https://www.dogtagpki.org/wiki/GSS-API_authentication
 > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
 >
 > However, it isn't implemented yet. This would probably suffice for
 > SSO though.
 >
 >
 >
 > My 2c,
 >
 > - Alex
 >
 > ----- Original Message -----
 >> From: "Dinesh Prasanth Moluguwan Krishnamoorthy"
<dmoluguw(a)redhat.com&gt;
 >> To: "Pascal Jakobi" <pascal.jakobi(a)gmail.com&gt;
 >> Cc: pki-devel(a)redhat.com
 >> Sent: Thursday, July 2, 2020 11:18:53 AM
 >> Subject: Re: [Pki-devel] SSO
 >>
 >> Pascal,
 >>
 >> I don't think Dogtag Web UI supports it. The feature you are suggesting
 >> (sounds to me like it) requires a full fledged IDM deployment. You can
 >> look
 >> at FreeIPA, if you are looking for MFA.
 >>
 >> FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its
backend
 >> to issue certs and also combines several other components to offer a
 >> full-fledged IDM deployment.
 >>
 >> Nonetheless, I'm CC'ing pki-devel to see if other developers have any
 >> thoughts.
 >>
 >> Regards,
 >> --Dinesh
 >>
 >> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jakobi(a)gmail.com&gt;
 >> wrote:
 >>
 >>> Dinesh
 >>>
 >>> In fact all I am doing here is in order to offer a GUI that may be used
 >>> with OpenId Connect (ie Keycloak or so...). The value of this is that it
 >>> is
 >>> much more flexible than certificate based authentication. You can have
 >>> MFA,
 >>> etc....
 >>>
 >>> So my question : is there a way to remove the certificate based access
 >>> control in Dogtag's UI ? I would replace it with a tomcat valve that
 >>> provides OIDC support.
 >>>
 >>> Best
 >>> --
 >>> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
 >>> pascal.jakobi(a)gmail.com - +33 6 87 47 58 19
 >>>
 >> _______________________________________________
 >> Pki-devel mailing list
 >> Pki-devel(a)redhat.com
 >> https://www.redhat.com/mailman/listinfo/pki-devel
 --
 *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
 pascal.jakobi(a)gmail.com - +33 6 87 47 58 19

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008