In order to authenticate through the firewall you have to allow kinit and kerberos web traffic through, which means opening port 88. If you are unwilling to do that, you need to come up with an authentication solution that will pass through firewalls, which means either basic auth, digest, or certificates. IPA has an embeded CA in it (Dogtag) but does not yet manage user certificates.

The approaches for web only single sign on (OpenID, OAuth, SAML and so forth) still require the initial authentication. Since IPA doesn't currently have a solution for that piece, we do not yet support one of hte HTTP SSO mechanisms, but it is under discussion.

On 07/29/2011 02:30 AM, Rapid Noreapeat wrote:
Thank you for your quick reply Rob,

I'll try it.

On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden < <>> wrote:

    Rapid Noreapeat wrote:

        Is it possible to integrate my web applications like portal
        helpdesk website, and other web apps login using FreeIPA's login
        accounts (SSO) like CAS?

    It depends. The FreeIPA SSO is Kerberos-based so you'd need to
    provide access to your KDC for this to work. If we're talking
    external portal then you may not want to expose your KDC.

    It also requires some configuration. Your browser has to be
    configured to do Negotiate auth against a given domain.  It will
    also need to trust the IPA CA (and since CAS seems at least
    partially SSL-based you already handle this).

    I don't know much about CAS other than what I just read on their
    web site but it looks like they handle redirecting when you aren't
    authenticated, seemingly allowing a nice way to mix protected and
    unprotected data. I think you'd have to do much of this
    configuration yourself in Apache. Probably not a huge amount of
    work though.

    So it is basically whatever mod_auth_kerb provides.


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to