[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?



In order to authenticate through the firewall you  have to allow kinit and kerberos web traffic through, which means opening port 88.  If you are unwilling to do that, you need to come up with an authentication solution that will pass through firewalls, which means either basic auth, digest, or certificates.  IPA has an embeded CA in it (Dogtag) but does not yet manage user certificates.

http://pki.fedoraproject.org/wiki/PKI_Main_Page

The approaches for web only single sign on (OpenID, OAuth, SAML and so forth)  still require the initial authentication.  Since IPA doesn't currently have a solution for that piece, we do not yet support one of hte HTTP SSO mechanisms, but it is under discussion.


On 07/29/2011 02:30 AM, Rapid Noreapeat wrote:
Thank you for your quick reply Rob,

I'll try it.

On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden <rcritten redhat com> wrote:
Rapid Noreapeat wrote:
Is it possible to integrate my web applications like portal website,
helpdesk website, and other web apps login using FreeIPA's login
accounts (SSO) like CAS?

It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide access to your KDC for this to work. If we're talking external portal then you may not want to expose your KDC.

It also requires some configuration. Your browser has to be configured to do Negotiate auth against a given domain.  It will also need to trust the IPA CA (and since CAS seems at least partially SSL-based you already handle this).

I don't know much about CAS other than what I just read on their web site but it looks like they handle redirecting when you aren't authenticated, seemingly allowing a nice way to mix protected and unprotected data. I think you'd have to do much of this configuration yourself in Apache. Probably not a huge amount of work though.

So it is basically whatever mod_auth_kerb provides.

rob

_______________________________________________ Freeipa-users mailing list Freeipa-users redhat com https://www.redhat.com/mailman/listinfo/freeipa-users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]