[Pki-devel] SSO

Fraser Tweedale ftweedal at redhat.com
Fri Jul 3 03:05:48 UTC 2020 

On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
> There's a proposal for GSS-API auth:
> 
> https://www.dogtagpki.org/wiki/GSS-API_authentication
> https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> 
> However, it isn't implemented yet. This would probably suffice for
> SSO though.
> 
Although the design doc is called GSS-API Authentication, the
feature is actually a more general than that.  If you put Dogtag
behind a web frontend (e.g. Apache), you can authenticate users via
SAML or OIDC and convey the appropriate environment variables, and
it will work.  Dogtag just sees an external principal and their
groups conveyed via AJP request attributes.

Cheers,
Fraser

> 
> 
> My 2c,
> 
> - Alex
> 
> ----- Original Message -----
> > From: "Dinesh Prasanth Moluguwan Krishnamoorthy" <dmoluguw at redhat.com>
> > To: "Pascal Jakobi" <pascal.jakobi at gmail.com>
> > Cc: pki-devel at redhat.com
> > Sent: Thursday, July 2, 2020 11:18:53 AM
> > Subject: Re: [Pki-devel] SSO
> > 
> > Pascal,
> > 
> > I don't think Dogtag Web UI supports it. The feature you are suggesting
> > (sounds to me like it) requires a full fledged IDM deployment. You can look
> > at FreeIPA, if you are looking for MFA.
> > 
> > FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
> > to issue certs and also combines several other components to offer a
> > full-fledged IDM deployment.
> > 
> > Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> > thoughts.
> > 
> > Regards,
> > --Dinesh
> > 
> > On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jakobi at gmail.com>
> > wrote:
> > 
> > > Dinesh
> > >
> > > In fact all I am doing here is in order to offer a GUI that may be used
> > > with OpenId Connect (ie Keycloak or so...). The value of this is that it is
> > > much more flexible than certificate based authentication. You can have MFA,
> > > etc....
> > >
> > > So my question : is there a way to remove the certificate based access
> > > control in Dogtag's UI ? I would replace it with a tomcat valve that
> > > provides OIDC support.
> > >
> > > Best
> > > --
> > > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > > pascal.jakobi at gmail.com - +33 6 87 47 58 19
> > >
> > 
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list