[Pki-devel] SSO

Fraser Tweedale ftweedal at redhat.com
Fri Jul 3 09:52:32 UTC 2020


On Fri, Jul 03, 2020 at 11:11:17AM +0200, Pascal Jakobi wrote:
> I would be interested into trying this.
> 
> 1/ Is there a list of the "environment variables" (I guess these are HTML
> headers) that dogtag needs ? Did not find it....
> 
> 2/ If I set an Apache reverse proxy, do I still need to insert an admin
> certificate in the browser's wallet ?
> 
No certificate is required.

You must use AJP protocol between Apache and pki-tomcatd.  It is
recommended to set an AJP shared secret because pki-tomcatd has
absolute trust in whatever data comes over AJP.

The AJP variables to set are:

- REMOTE_USER
- REMOTE_USER_GROUP_N (number of groups)
- REMOTE_USER_GROUP_$i (for $i in 0..N)

REMOTE_USER should get set automatically by mod_proxy_ajp.  For the
other variable, prepend "AJP_" when setting the Apache environment
variable, so that AJP will pick it up.  See [1] for an example.

[1] https://www.dogtagpki.org/wiki/GSS-API_authentication#Example_SSSD_and_Apache_configuration

Now that I am paging all of this back into my head, there is a
possible challenge.  For externally authenticated principals, the
set of ACLs to use for authorisation is looked up based on the
"realm" of the principal.

It would be fairly straightforward to implement another way of
conveying the realm, e.g. via an AJP variable.  But the current
implementation takes the realm from the principal name (i.e. the
value of REMOTE_USER).  The realm is whatever follows the '@'.  So
if REMOTE_USER is an email address and everyone has the same domain,
this could work with the current code.  Otherwise, we'll need to
make changes.

All that said, providing an alternative way of specifying the realm
is a small RFE with a big payoff.

HTH,
Fraser

> Thanks !
> 
> P
> 
> Le 03/07/2020 à 05:05, Fraser Tweedale a écrit :
> > On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
> > > There's a proposal for GSS-API auth:
> > > 
> > > https://www.dogtagpki.org/wiki/GSS-API_authentication
> > > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> > > 
> > > However, it isn't implemented yet. This would probably suffice for
> > > SSO though.
> > > 
> > Although the design doc is called GSS-API Authentication, the
> > feature is actually a more general than that.  If you put Dogtag
> > behind a web frontend (e.g. Apache), you can authenticate users via
> > SAML or OIDC and convey the appropriate environment variables, and
> > it will work.  Dogtag just sees an external principal and their
> > groups conveyed via AJP request attributes.
> > 
> > Cheers,
> > Fraser
> > 
> > > 
> > > My 2c,
> > > 
> > > - Alex
> > > 
> > > ----- Original Message -----
> > > > From: "Dinesh Prasanth Moluguwan Krishnamoorthy" <dmoluguw at redhat.com>
> > > > To: "Pascal Jakobi" <pascal.jakobi at gmail.com>
> > > > Cc: pki-devel at redhat.com
> > > > Sent: Thursday, July 2, 2020 11:18:53 AM
> > > > Subject: Re: [Pki-devel] SSO
> > > > 
> > > > Pascal,
> > > > 
> > > > I don't think Dogtag Web UI supports it. The feature you are suggesting
> > > > (sounds to me like it) requires a full fledged IDM deployment. You can look
> > > > at FreeIPA, if you are looking for MFA.
> > > > 
> > > > FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
> > > > to issue certs and also combines several other components to offer a
> > > > full-fledged IDM deployment.
> > > > 
> > > > Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> > > > thoughts.
> > > > 
> > > > Regards,
> > > > --Dinesh
> > > > 
> > > > On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jakobi at gmail.com>
> > > > wrote:
> > > > 
> > > > > Dinesh
> > > > > 
> > > > > In fact all I am doing here is in order to offer a GUI that may be used
> > > > > with OpenId Connect (ie Keycloak or so...). The value of this is that it is
> > > > > much more flexible than certificate based authentication. You can have MFA,
> > > > > etc....
> > > > > 
> > > > > So my question : is there a way to remove the certificate based access
> > > > > control in Dogtag's UI ? I would replace it with a tomcat valve that
> > > > > provides OIDC support.
> > > > > 
> > > > > Best
> > > > > --
> > > > > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > > > > pascal.jakobi at gmail.com - +33 6 87 47 58 19
> > > > > 
> > > > _______________________________________________
> > > > Pki-devel mailing list
> > > > Pki-devel at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/pki-devel
> > > _______________________________________________
> > > Pki-devel mailing list
> > > Pki-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
> -- 
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jakobi at gmail.com - +33 6 87 47 58 19




More information about the Pki-devel mailing list