In order to authenticate through the firewall you have to allow
kinit and kerberos web traffic through, which means opening port
88. If you are unwilling to do that, you need to come up with an
authentication solution that will pass through firewalls, which
means either basic auth, digest, or certificates. IPA has an
embeded CA in it (Dogtag) but does not yet manage user certificates.|
The approaches for web only single sign on (OpenID, OAuth, SAML and
so forth) still require the initial authentication. Since IPA
doesn't currently have a solution for that piece, we do not yet
support one of hte HTTP SSO mechanisms, but it is under discussion.
On 07/29/2011 02:30 AM, Rapid Noreapeat wrote:
Thank you for your quick reply Rob,
I'll try it.
On Fri, Jul 29, 2011 at 11:50 AM, Rob
Crittenden <rcritten redhat com>
It depends. The FreeIPA SSO is Kerberos-based so you'd need to
provide access to your KDC for this to work. If we're talking
external portal then you may not want to expose your KDC.
Rapid Noreapeat wrote:
Is it possible to integrate my web applications like
helpdesk website, and other web apps login using
accounts (SSO) like CAS?
It also requires some configuration. Your browser has to be
configured to do Negotiate auth against a given domain. It
will also need to trust the IPA CA (and since CAS seems at
least partially SSL-based you already handle this).
I don't know much about CAS other than what I just read on
their web site but it looks like they handle redirecting when
you aren't authenticated, seemingly allowing a nice way to mix
protected and unprotected data. I think you'd have to do much
of this configuration yourself in Apache. Probably not a huge
amount of work though.
So it is basically whatever mod_auth_kerb provides.
Freeipa-users mailing list
Freeipa-users redhat com