[Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?
Adam Young
ayoung at redhat.com
Fri Jul 29 14:07:46 UTC 2011
In order to authenticate through the firewall you have to allow kinit
and kerberos web traffic through, which means opening port 88. If you
are unwilling to do that, you need to come up with an authentication
solution that will pass through firewalls, which means either basic
auth, digest, or certificates. IPA has an embeded CA in it (Dogtag) but
does not yet manage user certificates.
http://pki.fedoraproject.org/wiki/PKI_Main_Page
The approaches for web only single sign on (OpenID, OAuth, SAML and so
forth) still require the initial authentication. Since IPA doesn't
currently have a solution for that piece, we do not yet support one of
hte HTTP SSO mechanisms, but it is under discussion.
On 07/29/2011 02:30 AM, Rapid Noreapeat wrote:
> Thank you for your quick reply Rob,
>
> I'll try it.
>
> On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Rapid Noreapeat wrote:
>
> Is it possible to integrate my web applications like portal
> website,
> helpdesk website, and other web apps login using FreeIPA's login
> accounts (SSO) like CAS?
>
>
> It depends. The FreeIPA SSO is Kerberos-based so you'd need to
> provide access to your KDC for this to work. If we're talking
> external portal then you may not want to expose your KDC.
>
> It also requires some configuration. Your browser has to be
> configured to do Negotiate auth against a given domain. It will
> also need to trust the IPA CA (and since CAS seems at least
> partially SSL-based you already handle this).
>
> I don't know much about CAS other than what I just read on their
> web site but it looks like they handle redirecting when you aren't
> authenticated, seemingly allowing a nice way to mix protected and
> unprotected data. I think you'd have to do much of this
> configuration yourself in Apache. Probably not a huge amount of
> work though.
>
> So it is basically whatever mod_auth_kerb provides.
>
> rob
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110729/13918030/attachment.htm>
More information about the Freeipa-users
mailing list