[katello-devel] Design of SSO - screencast

Marek Hulan mhulan at redhat.com
Mon Mar 11 12:54:54 UTC 2013 

On Monday 11 of March 2013 08:31:27 Ohad Levy wrote:
> | > My main concern is that this would not be a drop in replacement for
> | > current
> | > foreman users, and we would need to maintain multiple SSO backends
> | > (e.g.
> | > what foreman currently has with Apache) or plain authentication (
> | > e.g. it
> | > wont answer get user details ).
> | 
> | I'm not sure whether I get it right but this SSO application was not
> | meant to
> | be any replacement. Users would not be forced to use it at all. It
> | should
> | allow users only one thing that it's named after - they just sign in
> | once and
> | they can use other systems immediately. The only thing that's needed
> | from
> | Foreman point of view is adding support for custom OpenID provider.
> | 
> | It's 39 LOC including whitelines and comments. The biggest benefit
> | would be
> | that Katello and Foreman (and maybe other systems) would not have to
> | implement
> | various authentication methods separately. It means having kerberos,
> | LDAP and
> | e.g. OpenID authentication on one place and reused by all
> | applications. Hence
> | you could remove some SSO backends you may already have in Foreman.
> | 
> | Does it make sense? What should this SSO solution fulfill to meet
> | Foreman
> | requirements?
> 
> The issue here, is that you would need to configure ldap twice, once for SSO
> app to authenticate, and the other time for foreman to query user/group
> information.
> 
> this means you store the pw twice, and also means that i cant get rid of the
> ldap related code in foreman.
Why this can't be the same LDAP instance? It would only make sense to have one 
DB of users. You are right, LDAP code would have to stay in Foreman to gather 
information about users. Unless we implement some REST API in SSO to provide 
user information however this is something I'd like to avoid. It would result 
in adding another layer that would just translate data.

> PS. if you tend to send this mail to the public (and get feedback from
> foreman community), please use the foreman developers mailing list hosted
> at google lists.
> 
> Ohad
-- 
Marek

More information about the katello-devel mailing list