[katello-devel] Design of SSO

Tom McKay thomasmckay at redhat.com
Mon Mar 4 13:17:52 UTC 2013 


----- Original Message -----
> From: "Marek Hulan" <mhulan at redhat.com>
> To: katello-devel at redhat.com
> Sent: Monday, March 4, 2013 4:17:25 AM
> Subject: Re: [katello-devel] Design of SSO
> 
> Hi
> 
> answers below in text
> 
> > Why not to store whole OpenID URL instead of just username in the
> > cookie. It looks more consistent to me. For security reasons, both
> > applications would need to check the url if it is in expected
> > format.
> I thought of login as a primary user identifier across all related
> systems. We
> can later use kerberos as SSO auth backend so we'd need mapping of
> login to
> kerberos principal etc. SSO identifier is just for RP <-> SSO
> authentication.
> 
> > For security reasons, application<->SSO must be https with server
> > certificate check (both ends).
> Yes that's for sure, I forgot to mention it on Wiki. I'll add it. The
> reason
> (maybe not the only one) is that DiffieHellman exchange is subjected
> to MITM
> attacks. Also user <-> SSO must be protected by https (user sends
> password).
> 
> > Don't we want to condition SSO usage by LDAP? Then there is no need
> > of
> > asking Katello for authentication. Also migration could be easier -
> > you
> > can use Foreman as standalone application with LDAP and then add
> > Katello
> > without any pain of migration user accounts.
> I thought there are possible setups where customer have users in
> Katello
> internal DB without LDAP and also uses Foreman. They would be forced
> to
> migrate to LDAP in order to use SSO then? Katello seemed to me as
> natural
> choice because it's already primary source of users for Katello and
> Foreman.
> There can exist Foreman-only users but they have no access to Katello
> then
> however all Katello users have access to Foreman right? By forcing
> LDAP user
> database, SSO could be used even without Katello by other services
> however we
> would also duplicate this logic which is already in Katello (and will
> stay
> there as fallback).

I think LDAP has to be an available option from the very start, even if it's a requirement that you can't mix-and-match (ie. both or neither must use LDAP).

> 
> Thank you for questions and comments.
> 
> Marek
> 
> > 
> > LZ
> > 
> > On Fri, Mar 01, 2013 at 02:55:19PM +0100, Marek Hulan wrote:
> > > Hi all
> > > 
> > > As a part of US I work on this iteration I created a design wiki
> > > page [1]
> > > for SSO discussed recently. Please take a look and ping me if you
> > > have
> > > any comments or questions.
> > > 
> > > [1] https://fedorahosted.org/katello/wiki/SingleSignOn
> --
> Marek
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel
>

More information about the katello-devel mailing list