[Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

Adam Young ayoung at redhat.com
Fri Jul 29 14:07:46 UTC 2011 

In order to authenticate through the firewall you  have to allow kinit 
and kerberos web traffic through, which means opening port 88.  If you 
are unwilling to do that, you need to come up with an authentication 
solution that will pass through firewalls, which means either basic 
auth, digest, or certificates.  IPA has an embeded CA in it (Dogtag) but 
does not yet manage user certificates.

http://pki.fedoraproject.org/wiki/PKI_Main_Page

The approaches for web only single sign on (OpenID, OAuth, SAML and so 
forth)  still require the initial authentication.  Since IPA doesn't 
currently have a solution for that piece, we do not yet support one of 
hte HTTP SSO mechanisms, but it is under discussion.


On 07/29/2011 02:30 AM, Rapid Noreapeat wrote:
> Thank you for your quick reply Rob,
>
> I'll try it.
>
> On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden <rcritten at redhat.com 
> <mailto:rcritten at redhat.com>> wrote:
>
>     Rapid Noreapeat wrote:
>
>         Is it possible to integrate my web applications like portal
>         website,
>         helpdesk website, and other web apps login using FreeIPA's login
>         accounts (SSO) like CAS?
>
>
>     It depends. The FreeIPA SSO is Kerberos-based so you'd need to
>     provide access to your KDC for this to work. If we're talking
>     external portal then you may not want to expose your KDC.
>
>     It also requires some configuration. Your browser has to be
>     configured to do Negotiate auth against a given domain.  It will
>     also need to trust the IPA CA (and since CAS seems at least
>     partially SSL-based you already handle this).
>
>     I don't know much about CAS other than what I just read on their
>     web site but it looks like they handle redirecting when you aren't
>     authenticated, seemingly allowing a nice way to mix protected and
>     unprotected data. I think you'd have to do much of this
>     configuration yourself in Apache. Probably not a huge amount of
>     work though.
>
>     So it is basically whatever mod_auth_kerb provides.
>
>     rob
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110729/13918030/attachment.htm>

More information about the Freeipa-users mailing list