[Pki-devel] SSO

Alex Scheel ascheel at redhat.com
Thu Jul 2 16:01:39 UTC 2020


Sure, but what you'd have to do is similar in both cases:

 - Extend Dogtag's user model to include external authentication sources,
 - Allow Dogtag to lookup users based on Tomcat's auth handler.

In both GSS-API and OIDC, you need a way of mapping users to Dogtag's ACL
model, that doesn't currently exist for anything but Dogtag's internal users
and cert-auth capability.

- A

----- Original Message -----
> From: "Pascal Jakobi" <pascal.jakobi at gmail.com>
> To: "Alex Scheel" <ascheel at redhat.com>
> Sent: Thursday, July 2, 2020 11:39:32 AM
> Subject: Re: [Pki-devel] SSO
> 
> GSS support was a good idea before.
> 
> Now the real solution for web SSO is OIDC, I believe.
> 
> Le 02/07/2020 à 17:35, Alex Scheel a écrit :
> > There's a proposal for GSS-API auth:
> >
> > https://www.dogtagpki.org/wiki/GSS-API_authentication
> > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> >
> > However, it isn't implemented yet. This would probably suffice for
> > SSO though.
> >
> >
> >
> > My 2c,
> >
> > - Alex
> >
> > ----- Original Message -----
> >> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" <dmoluguw at redhat.com>
> >> To: "Pascal Jakobi" <pascal.jakobi at gmail.com>
> >> Cc: pki-devel at redhat.com
> >> Sent: Thursday, July 2, 2020 11:18:53 AM
> >> Subject: Re: [Pki-devel] SSO
> >>
> >> Pascal,
> >>
> >> I don't think Dogtag Web UI supports it. The feature you are suggesting
> >> (sounds to me like it) requires a full fledged IDM deployment. You can
> >> look
> >> at FreeIPA, if you are looking for MFA.
> >>
> >> FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
> >> to issue certs and also combines several other components to offer a
> >> full-fledged IDM deployment.
> >>
> >> Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> >> thoughts.
> >>
> >> Regards,
> >> --Dinesh
> >>
> >> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jakobi at gmail.com>
> >> wrote:
> >>
> >>> Dinesh
> >>>
> >>> In fact all I am doing here is in order to offer a GUI that may be used
> >>> with OpenId Connect (ie Keycloak or so...). The value of this is that it
> >>> is
> >>> much more flexible than certificate based authentication. You can have
> >>> MFA,
> >>> etc....
> >>>
> >>> So my question : is there a way to remove the certificate based access
> >>> control in Dogtag's UI ? I would replace it with a tomcat valve that
> >>> provides OIDC support.
> >>>
> >>> Best
> >>> --
> >>> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> >>> pascal.jakobi at gmail.com - +33 6 87 47 58 19
> >>>
> >> _______________________________________________
> >> Pki-devel mailing list
> >> Pki-devel at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-devel
> --
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jakobi at gmail.com - +33 6 87 47 58 19
> 




More information about the Pki-devel mailing list