[Pki-devel] SSO

Pascal Jakobi pascal.jakobi at gmail.com
Fri Jul 3 09:11:17 UTC 2020 

I would be interested into trying this.

1/ Is there a list of the "environment variables" (I guess these are 
HTML headers) that dogtag needs ? Did not find it....

2/ If I set an Apache reverse proxy, do I still need to insert an admin 
certificate in the browser's wallet ?

Thanks !

P

Le 03/07/2020 à 05:05, Fraser Tweedale a écrit :
> On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
>> There's a proposal for GSS-API auth:
>>
>> https://www.dogtagpki.org/wiki/GSS-API_authentication
>> https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
>>
>> However, it isn't implemented yet. This would probably suffice for
>> SSO though.
>>
> Although the design doc is called GSS-API Authentication, the
> feature is actually a more general than that.  If you put Dogtag
> behind a web frontend (e.g. Apache), you can authenticate users via
> SAML or OIDC and convey the appropriate environment variables, and
> it will work.  Dogtag just sees an external principal and their
> groups conveyed via AJP request attributes.
>
> Cheers,
> Fraser
>
>>
>> My 2c,
>>
>> - Alex
>>
>> ----- Original Message -----
>>> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" <dmoluguw at redhat.com>
>>> To: "Pascal Jakobi" <pascal.jakobi at gmail.com>
>>> Cc: pki-devel at redhat.com
>>> Sent: Thursday, July 2, 2020 11:18:53 AM
>>> Subject: Re: [Pki-devel] SSO
>>>
>>> Pascal,
>>>
>>> I don't think Dogtag Web UI supports it. The feature you are suggesting
>>> (sounds to me like it) requires a full fledged IDM deployment. You can look
>>> at FreeIPA, if you are looking for MFA.
>>>
>>> FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
>>> to issue certs and also combines several other components to offer a
>>> full-fledged IDM deployment.
>>>
>>> Nonetheless, I'm CC'ing pki-devel to see if other developers have any
>>> thoughts.
>>>
>>> Regards,
>>> --Dinesh
>>>
>>> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi <pascal.jakobi at gmail.com>
>>> wrote:
>>>
>>>> Dinesh
>>>>
>>>> In fact all I am doing here is in order to offer a GUI that may be used
>>>> with OpenId Connect (ie Keycloak or so...). The value of this is that it is
>>>> much more flexible than certificate based authentication. You can have MFA,
>>>> etc....
>>>>
>>>> So my question : is there a way to remove the certificate based access
>>>> control in Dogtag's UI ? I would replace it with a tomcat valve that
>>>> provides OIDC support.
>>>>
>>>> Best
>>>> --
>>>> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
>>>> pascal.jakobi at gmail.com - +33 6 87 47 58 19
>>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
-- 
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jakobi at gmail.com - +33 6 87 47 58 19
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20200703/94c0def1/attachment.htm>

More information about the Pki-devel mailing list