[katello-devel] Design of SSO - screencast
Marek Hulan
mhulan at redhat.com
Mon Mar 11 08:01:05 UTC 2013
Hi,
sending answers in text below
On Sunday 10 of March 2013 09:13:04 you wrote:
> ----- Original Message -----
>
> | Hey all
> |
> | I just finished a short screencast about SSO design spike I worked on
> | recently.
> | You can find on youtube http://www.youtube.com/watch?v=4Ov771INMns
> |
> | Comments or questions are welcome
>
> Looking good, a few questions
>
> 1. why are we authenticating to Katello? is this planned to be extracted
> back to the SSO app?
Because it's currently authoritative source of users and it knows whether to
use LDAP or it's internal DB. However one of a first thing planned is to learn
SSO app to communicate directly to LDAP.
> 2. how are we validating the cookie, is it short
> lived?
There is no validation of cookie and it should not be required. Cookie does
not contain any important information, it's just a shortcut for future login
to avoid some redirect. Currently cookie lives for 10 hours but this is easy
to make it configurable.
> 3. how do i force idle timeout? should we still do it in katello/foreman?
Yes, I don't see any easy way we could implement this on SSO side.
Katello/Foreman must trigger SSO logout which then redirects to
Katello/Foreman logout action so you logout from SSO and your app.
> 4. would we support multiple backends? e.g. foreman now has the notion of
> authenticating against multiple auth sources (e.g. ldap / internal / ad) at
> the same time.
Since it's lightweight application it should not be hard to add new backends.
Currently it supports only one - Katello, but it's a plan to add more of them.
> 5. do you provide user details (e.g. ldap query can return
> additional user attributes such as email), or only authentication true /
> false? Foreman relay on such details (e.g. first name, last name, email
> etc) for auto creating the users in the database for their first login.
This is auth only system so only true/false. However OpenID which we use has a
mechanism (SREG [1]) to share some information about user. It's not
implemented yet in our OpenID provider but it can be implemented if needed.
Let me know if you have further questions.
Thank you
[1] http://openid.net/specs/openid-simple-registration-extension-1_0.html
--
Marek
More information about the katello-devel
mailing list