[Freeipa-users] Does FreeIPA support web services SSO gracefully?
Simo Sorce
simo at redhat.com
Fri May 4 15:52:40 UTC 2012
On Fri, 2012-05-04 at 11:44 -0400, John Dennis wrote:
> On 05/04/2012 11:26 AM, Rob Crittenden wrote:
> > Firefox needs to be configured to be allowed to perform Kerberos SSO in
> > a domain. FreeIPA 2.2 introduced a forms-based login so you don't have
> > to fall back to basic authentication (with KrbMethodK5Passwd on).
>
> The forms based login applies to the IPA Admin console, the OP was
> asking web services other than the IPA admin console, therefore that's
> not relevant.
>
> What is relevant is getting the other web services to use kerberos
> negotiate auth instead of whatever they are currently using. The
> difficulty of that task really depends on the particular web service.
>
> The user must also be able to acquire a kerberos ticket.
>
> So the answer to the OP is, if you can satisfy the following two
> conditions then IPA is a graceful solution:
>
> 1) The web service can be configured to use kerberos negotiate auth.
>
> 2) Each of your users has a facility available to acquire a kerberos ticket.
You can also fall back to basic_auth and even mod_auth_ldap I guess.
It's basically a matter of evaluating if you can live with letting other
services see the user's password or not.
In future we want to add auth mechanisms that do not necessarily depend
on Kerberos and will not expose the user password to random services,
like OpenID, Oath etc.. but we are not there yet.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list