[katello-devel] Design of SSO - screencast

Marek Hulan mhulan at redhat.com
Mon Mar 11 08:01:05 UTC 2013 

Hi,

sending answers in text below

On Sunday 10 of March 2013 09:13:04 you wrote:
> ----- Original Message -----
> 
> | Hey all
> | 
> | I just finished a short screencast about SSO design spike I worked on
> | recently.
> | You can find on youtube http://www.youtube.com/watch?v=4Ov771INMns
> | 
> | Comments or questions are welcome
> 
> Looking good, a few questions
> 
> 1. why are we authenticating to Katello? is this planned to be extracted
> back to the SSO app? 
Because it's currently authoritative source of users and it knows whether to 
use LDAP or it's internal DB. However one of a first thing planned is to learn 
SSO app to communicate directly to LDAP.

> 2. how are we validating the cookie, is it short
> lived?
There is no validation of cookie and it should not be required. Cookie does 
not contain any important information, it's just a shortcut for future login 
to avoid some redirect. Currently cookie lives for 10 hours but this is easy 
to make it configurable.

> 3. how do i force idle timeout? should we still do it in katello/foreman?
Yes, I don't see any easy way we could implement this on SSO side. 
Katello/Foreman must trigger SSO logout which then redirects to 
Katello/Foreman logout action so you logout from SSO and your app.

> 4. would we support multiple backends? e.g. foreman now has the notion of
> authenticating against multiple auth sources (e.g. ldap / internal / ad) at
> the same time. 
Since it's lightweight application it should not be hard to add new backends. 
Currently it supports only one - Katello, but it's a plan to add more of them.

> 5. do you provide user details (e.g. ldap query can return
> additional user attributes such as email), or only authentication true /
> false? Foreman relay on such details (e.g. first name, last name, email
> etc) for auto creating the users in the database for their first login.
This is auth only system so only true/false. However OpenID which we use has a 
mechanism (SREG [1]) to share some information about user. It's not 
implemented yet in our OpenID provider but it can be implemented if needed.

Let me know if you have further questions. 
Thank you

[1] http://openid.net/specs/openid-simple-registration-extension-1_0.html

--
Marek

More information about the katello-devel mailing list