Re: [Pki-devel] SSO

[Pascal Jakobi]

I would be interested into trying this.

1/ Is there a list of the "environment variables" (I guess these are 
HTML headers) that dogtag needs ? Did not find it


2/ If I set an Apache reverse proxy, do I still need to insert an admin 
certificate in the browser's wallet ?


Thanks !

P

Le 03/07/2020 à 05:05, Fraser Tweedale a écrit :

On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:

There's a proposal for GSS-API auth:

https://www.dogtagpki.org/wiki/GSS-API_authentication
https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

However, it isn't implemented yet. This would probably suffice for
SSO though.


Although the design doc is called GSS-API Authentication, the
feature is actually a more general than that.  If you put Dogtag
behind a web frontend (e.g. Apache), you can authenticate users via
SAML or OIDC and convey the appropriate environment variables, and
it will work.  Dogtag just sees an external principal and their
groups conveyed via AJP request attributes.

Cheers,
Fraser



My 2c,

- Alex

- Original Message -

From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
To: "Pascal Jakobi" 
Cc: pki-devel@redhat.com
Sent: Thursday, July 2, 2020 11:18:53 AM
Subject: Re: [Pki-devel] SSO

Pascal,

I don't think Dogtag Web UI supports it. The feature you are suggesting
(sounds to me like it) requires a full fledged IDM deployment. You can look
at FreeIPA, if you are looking for MFA.

FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
to issue certs and also combines several other components to offer a
full-fledged IDM deployment.

Nonetheless, I'm CC'ing pki-devel to see if other developers have any
thoughts.

Regards,
--Dinesh

On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
wrote:


Dinesh

In fact all I am doing here is in order to offer a GUI that may be used
with OpenId Connect (ie Keycloak or so...). The value of this is that it is
much more flexible than certificate based authentication. You can have MFA,
etc

So my question : is there a way to remove the certificate based access
control in Dogtag's UI ? I would replace it with a tomcat valve that
provides OIDC support.

Best
--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jak...@gmail.com - +33 6 87 47 58 19


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jak...@gmail.com - +33 6 87 47 58 19
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

[Fraser Tweedale]

On Fri, Jul 03, 2020 at 11:11:17AM +0200, Pascal Jakobi wrote:
> I would be interested into trying this.
> 
> 1/ Is there a list of the "environment variables" (I guess these are HTML
> headers) that dogtag needs ? Did not find it
> 
> 2/ If I set an Apache reverse proxy, do I still need to insert an admin
> certificate in the browser's wallet ?
> 
No certificate is required.

You must use AJP protocol between Apache and pki-tomcatd.  It is
recommended to set an AJP shared secret because pki-tomcatd has
absolute trust in whatever data comes over AJP.

The AJP variables to set are:

- REMOTE_USER
- REMOTE_USER_GROUP_N (number of groups)
- REMOTE_USER_GROUP_$i (for $i in 0..N)

REMOTE_USER should get set automatically by mod_proxy_ajp.  For the
other variable, prepend "AJP_" when setting the Apache environment
variable, so that AJP will pick it up.  See [1] for an example.

[1] 
https://www.dogtagpki.org/wiki/GSS-API_authentication#Example_SSSD_and_Apache_configuration

Now that I am paging all of this back into my head, there is a
possible challenge.  For externally authenticated principals, the
set of ACLs to use for authorisation is looked up based on the
"realm" of the principal.

It would be fairly straightforward to implement another way of
conveying the realm, e.g. via an AJP variable.  But the current
implementation takes the realm from the principal name (i.e. the
value of REMOTE_USER).  The realm is whatever follows the '@'.  So
if REMOTE_USER is an email address and everyone has the same domain,
this could work with the current code.  Otherwise, we'll need to
make changes.

All that said, providing an alternative way of specifying the realm
is a small RFE with a big payoff.

HTH,
Fraser

> Thanks !
> 
> P
> 
> Le 03/07/2020 à 05:05, Fraser Tweedale a écrit :
> > On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
> > > There's a proposal for GSS-API auth:
> > > 
> > > https://www.dogtagpki.org/wiki/GSS-API_authentication
> > > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> > > 
> > > However, it isn't implemented yet. This would probably suffice for
> > > SSO though.
> > > 
> > Although the design doc is called GSS-API Authentication, the
> > feature is actually a more general than that.  If you put Dogtag
> > behind a web frontend (e.g. Apache), you can authenticate users via
> > SAML or OIDC and convey the appropriate environment variables, and
> > it will work.  Dogtag just sees an external principal and their
> > groups conveyed via AJP request attributes.
> > 
> > Cheers,
> > Fraser
> > 
> > > 
> > > My 2c,
> > > 
> > > - Alex
> > > 
> > > - Original Message -
> > > > From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
> > > > To: "Pascal Jakobi" 
> > > > Cc: pki-devel@redhat.com
> > > > Sent: Thursday, July 2, 2020 11:18:53 AM
> > > > Subject: Re: [Pki-devel] SSO
> > > > 
> > > > Pascal,
> > > > 
> > > > I don't think Dogtag Web UI supports it. The feature you are suggesting
> > > > (sounds to me like it) requires a full fledged IDM deployment. You can 
> > > > look
> > > > at FreeIPA, if you are looking for MFA.
> > > > 
> > > > FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its 
> > > > backend
> > > > to issue certs and also combines several other components to offer a
> > > > full-fledged IDM deployment.
> > > > 
> > > > Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> > > > thoughts.
> > > > 
> > > > Regards,
> > > > --Dinesh
> > > > 
> > > > On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
> > > > wrote:
> > > > 
> > > > > Dinesh
> > > > > 
> > > > > In fact all I am doing here is in order to offer a GUI that may be 
> > > > > used
> > > > > with OpenId Connect (ie Keycloak or so...). The value of this is that 
> > > > > it is
> > > > > much more flexible than certificate based authentication. You can 
> > > > > have MFA,
> > > > > etc
> > > > > 
> > > > > So my question : is there a way to remove the certificate based access
> > > > > control in Dogtag's UI ? I would replace it with a tomcat valve that
> > > > > provides OIDC support.
> > > > > 
> > > > > Best
> > > > > --
> > > > > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > > > > pascal.jak...@gmail.com - +33 6 87 47 58 19
> > > > > 
> > > > ___
> > > > Pki-devel mailing list
> > > > Pki-devel@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/pki-devel
> > > ___
> > > Pki-devel mailing list
> > > Pki-devel@redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-devel
> -- 
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jak...@gmail.com - +33 6 87 47 58 19

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

[Fraser Tweedale]

On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:
> There's a proposal for GSS-API auth:
> 
> https://www.dogtagpki.org/wiki/GSS-API_authentication
> https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> 
> However, it isn't implemented yet. This would probably suffice for
> SSO though.
> 
Although the design doc is called GSS-API Authentication, the
feature is actually a more general than that.  If you put Dogtag
behind a web frontend (e.g. Apache), you can authenticate users via
SAML or OIDC and convey the appropriate environment variables, and
it will work.  Dogtag just sees an external principal and their
groups conveyed via AJP request attributes.

Cheers,
Fraser

> 
> 
> My 2c,
> 
> - Alex
> 
> - Original Message -
> > From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
> > To: "Pascal Jakobi" 
> > Cc: pki-devel@redhat.com
> > Sent: Thursday, July 2, 2020 11:18:53 AM
> > Subject: Re: [Pki-devel] SSO
> > 
> > Pascal,
> > 
> > I don't think Dogtag Web UI supports it. The feature you are suggesting
> > (sounds to me like it) requires a full fledged IDM deployment. You can look
> > at FreeIPA, if you are looking for MFA.
> > 
> > FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
> > to issue certs and also combines several other components to offer a
> > full-fledged IDM deployment.
> > 
> > Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> > thoughts.
> > 
> > Regards,
> > --Dinesh
> > 
> > On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
> > wrote:
> > 
> > > Dinesh
> > >
> > > In fact all I am doing here is in order to offer a GUI that may be used
> > > with OpenId Connect (ie Keycloak or so...). The value of this is that it 
> > > is
> > > much more flexible than certificate based authentication. You can have 
> > > MFA,
> > > etc
> > >
> > > So my question : is there a way to remove the certificate based access
> > > control in Dogtag's UI ? I would replace it with a tomcat valve that
> > > provides OIDC support.
> > >
> > > Best
> > > --
> > > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > > pascal.jak...@gmail.com - +33 6 87 47 58 19
> > >
> > 
> > ___
> > Pki-devel mailing list
> > Pki-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

[Alex Scheel]

Sure, but what you'd have to do is similar in both cases:

 - Extend Dogtag's user model to include external authentication sources,
 - Allow Dogtag to lookup users based on Tomcat's auth handler.

In both GSS-API and OIDC, you need a way of mapping users to Dogtag's ACL
model, that doesn't currently exist for anything but Dogtag's internal users
and cert-auth capability.

- A

- Original Message -
> From: "Pascal Jakobi" 
> To: "Alex Scheel" 
> Sent: Thursday, July 2, 2020 11:39:32 AM
> Subject: Re: [Pki-devel] SSO
> 
> GSS support was a good idea before.
> 
> Now the real solution for web SSO is OIDC, I believe.
> 
> Le 02/07/2020 à 17:35, Alex Scheel a écrit :
> > There's a proposal for GSS-API auth:
> >
> > https://www.dogtagpki.org/wiki/GSS-API_authentication
> > https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> >
> > However, it isn't implemented yet. This would probably suffice for
> > SSO though.
> >
> >
> >
> > My 2c,
> >
> > - Alex
> >
> > - Original Message -
> >> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
> >> To: "Pascal Jakobi" 
> >> Cc: pki-devel@redhat.com
> >> Sent: Thursday, July 2, 2020 11:18:53 AM
> >> Subject: Re: [Pki-devel] SSO
> >>
> >> Pascal,
> >>
> >> I don't think Dogtag Web UI supports it. The feature you are suggesting
> >> (sounds to me like it) requires a full fledged IDM deployment. You can
> >> look
> >> at FreeIPA, if you are looking for MFA.
> >>
> >> FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
> >> to issue certs and also combines several other components to offer a
> >> full-fledged IDM deployment.
> >>
> >> Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> >> thoughts.
> >>
> >> Regards,
> >> --Dinesh
> >>
> >> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
> >> wrote:
> >>
> >>> Dinesh
> >>>
> >>> In fact all I am doing here is in order to offer a GUI that may be used
> >>> with OpenId Connect (ie Keycloak or so...). The value of this is that it
> >>> is
> >>> much more flexible than certificate based authentication. You can have
> >>> MFA,
> >>> etc
> >>>
> >>> So my question : is there a way to remove the certificate based access
> >>> control in Dogtag's UI ? I would replace it with a tomcat valve that
> >>> provides OIDC support.
> >>>
> >>> Best
> >>> --
> >>> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> >>> pascal.jak...@gmail.com - +33 6 87 47 58 19
> >>>
> >> ___
> >> Pki-devel mailing list
> >> Pki-devel@redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-devel
> --
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jak...@gmail.com - +33 6 87 47 58 19
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

[Pascal Jakobi]

No, it does not require IPA.

It does require something as Keycloak or equivalent (an OpenID Connect 
Provider).


Generally those OPs provide features such as MFA or Identity Federation.

And there are valves that provide OIDC support on the application side.

Best

P

Le 02/07/2020 à 17:18, Dinesh Prasanth Moluguwan Krishnamoorthy a écrit :

Pascal,

I don't think Dogtag Web UI supports it. The feature you are 
suggesting (sounds to me like it) requires a full fledged IDM 
deployment. You can look at FreeIPA, if you are looking for MFA.


FreeIPA  uses Dogtag CA as its 
backend to issue certs and also combines several other components to 
offer a full-fledged IDM deployment.


Nonetheless, I'm CC'ing pki-devel to see if other developers have any 
thoughts.


Regards,
--Dinesh

On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi > wrote:


Dinesh

In fact all I am doing here is in order to offer a GUI that may be
used with OpenId Connect (ie Keycloak or so...). The value of this
is that it is much more flexible than certificate based
authentication. You can have MFA, etc

So my question : is there a way to remove the certificate based
access control in Dogtag's UI ? I would replace it with a tomcat
valve that provides OIDC support.

Best

-- 
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France

pascal.jak...@gmail.com  - +33 6
87 47 58 19


--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jak...@gmail.com - +33 6 87 47 58 19
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

[Alex Scheel]

There's a proposal for GSS-API auth:

https://www.dogtagpki.org/wiki/GSS-API_authentication
https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

However, it isn't implemented yet. This would probably suffice for
SSO though.



My 2c,

- Alex

- Original Message -
> From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
> To: "Pascal Jakobi" 
> Cc: pki-devel@redhat.com
> Sent: Thursday, July 2, 2020 11:18:53 AM
> Subject: Re: [Pki-devel] SSO
> 
> Pascal,
> 
> I don't think Dogtag Web UI supports it. The feature you are suggesting
> (sounds to me like it) requires a full fledged IDM deployment. You can look
> at FreeIPA, if you are looking for MFA.
> 
> FreeIPA <https://www.freeipa.org/page/About> uses Dogtag CA as its backend
> to issue certs and also combines several other components to offer a
> full-fledged IDM deployment.
> 
> Nonetheless, I'm CC'ing pki-devel to see if other developers have any
> thoughts.
> 
> Regards,
> --Dinesh
> 
> On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
> wrote:
> 
> > Dinesh
> >
> > In fact all I am doing here is in order to offer a GUI that may be used
> > with OpenId Connect (ie Keycloak or so...). The value of this is that it is
> > much more flexible than certificate based authentication. You can have MFA,
> > etc
> >
> > So my question : is there a way to remove the certificate based access
> > control in Dogtag's UI ? I would replace it with a tomcat valve that
> > provides OIDC support.
> >
> > Best
> > --
> > *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> > pascal.jak...@gmail.com - +33 6 87 47 58 19
> >
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

[Dinesh Prasanth Moluguwan Krishnamoorthy]

Pascal,

I don't think Dogtag Web UI supports it. The feature you are suggesting
(sounds to me like it) requires a full fledged IDM deployment. You can look
at FreeIPA, if you are looking for MFA.

FreeIPA  uses Dogtag CA as its backend
to issue certs and also combines several other components to offer a
full-fledged IDM deployment.

Nonetheless, I'm CC'ing pki-devel to see if other developers have any
thoughts.

Regards,
--Dinesh

On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
wrote:

> Dinesh
>
> In fact all I am doing here is in order to offer a GUI that may be used
> with OpenId Connect (ie Keycloak or so...). The value of this is that it is
> much more flexible than certificate based authentication. You can have MFA,
> etc
>
> So my question : is there a way to remove the certificate based access
> control in Dogtag's UI ? I would replace it with a tomcat valve that
> provides OIDC support.
>
> Best
> --
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jak...@gmail.com - +33 6 87 47 58 19
>
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel