[katello-devel] Design of SSO

Marek Hulan mhulan at redhat.com
Mon Mar 4 09:17:25 UTC 2013 

Hi

answers below in text

> Why not to store whole OpenID URL instead of just username in the
> cookie. It looks more consistent to me. For security reasons, both
> applications would need to check the url if it is in expected format.
I thought of login as a primary user identifier across all related systems. We 
can later use kerberos as SSO auth backend so we'd need mapping of login to 
kerberos principal etc. SSO identifier is just for RP <-> SSO authentication.

> For security reasons, application<->SSO must be https with server
> certificate check (both ends).
Yes that's for sure, I forgot to mention it on Wiki. I'll add it. The reason 
(maybe not the only one) is that DiffieHellman exchange is subjected to MITM 
attacks. Also user <-> SSO must be protected by https (user sends password).

> Don't we want to condition SSO usage by LDAP? Then there is no need of
> asking Katello for authentication. Also migration could be easier - you
> can use Foreman as standalone application with LDAP and then add Katello
> without any pain of migration user accounts.
I thought there are possible setups where customer have users in Katello 
internal DB without LDAP and also uses Foreman. They would be forced to 
migrate to LDAP in order to use SSO then? Katello seemed to me as natural 
choice because it's already primary source of users for Katello and Foreman. 
There can exist Foreman-only users but they have no access to Katello then 
however all Katello users have access to Foreman right? By forcing LDAP user 
database, SSO could be used even without Katello by other services however we 
would also duplicate this logic which is already in Katello (and will stay 
there as fallback).

Thank you for questions and comments.

Marek

> 
> LZ
> 
> On Fri, Mar 01, 2013 at 02:55:19PM +0100, Marek Hulan wrote:
> > Hi all
> > 
> > As a part of US I work on this iteration I created a design wiki page [1]
> > for SSO discussed recently. Please take a look and ping me if you have
> > any comments or questions.
> > 
> > [1] https://fedorahosted.org/katello/wiki/SingleSignOn
-- 
Marek

More information about the katello-devel mailing list