Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-08 Thread Kiran Patil 
> There was no follow up on this so what I am specifically interested is
> how CAS server integrates with external servers. Does it have some sort
> of pluggable interface like PAM? Even if it does it is probably
> implementation specific. So is it just a configuration issue to
> configure the auth sources or auth providers like IPA have to actually
> build a special provider module?
> If it is a config issue it might be something that we can try and
> document as a solution. If it requires development I want to understand
> what is the cost and benefits. It is unclear how widely CAS is used in
> general and is there one most popular implementation that we should
> focus on in future.
>


I found this article
"http://www.computerworld.com/s/article/9218973/5_cool_tools_for_cloud_management?taxonomyId=154&pageNumber=1";

http://www.symplified.com/main/what-we-do-for-you/products/SSO/

Thanks,
Kiran.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-04 Thread Dmitri Pal 
On 08/04/2011 11:07 AM, Kiran Patil wrote:
>> Which CAS server implementation you are using?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
> Sorry, I picked the subject from one of the earlier thread of FreeIPA user 
> list.
>
> Right now we are evaluating different solutions.
>
> We found that FreeIPA project interesting, which provides all in one
> solution which is backed by Redhat and community members.
>
> I have also seen a enhancement request of SAML in FreeIPA
> (https://fedorahosted.org/freeipa/ticket/1275).
>
> I wanted to know, since
> RapidNoreapeat(https://www.redhat.com/archives/freeipa-users/2011-July/msg00103.html)
> has raised this question earlier, that he is succeeded in implementing
> the solution.
>

There was no follow up on this so what I am specifically interested is
how CAS server integrates with external servers. Does it have some sort
of pluggable interface like PAM? Even if it does it is probably
implementation specific. So is it just a configuration issue to
configure the auth sources or auth providers like IPA have to actually
build a special provider module?
If it is a config issue it might be something that we can try and
document as a solution. If it requires development I want to understand
what is the cost and benefits. It is unclear how widely CAS is used in
general and is there one most popular implementation that we should
focus on in future.

> Thanks,
> Kiran Patil.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-04 Thread Kiran Patil 
>>
> Which CAS server implementation you are using?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>

Sorry, I picked the subject from one of the earlier thread of FreeIPA user list.

Right now we are evaluating different solutions.

We found that FreeIPA project interesting, which provides all in one
solution which is backed by Redhat and community members.

I have also seen a enhancement request of SAML in FreeIPA
(https://fedorahosted.org/freeipa/ticket/1275).

I wanted to know, since
RapidNoreapeat(https://www.redhat.com/archives/freeipa-users/2011-July/msg00103.html)
has raised this question earlier, that he is succeeded in implementing
the solution.

Thanks,
Kiran Patil.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-04 Thread Dmitri Pal 
On 08/04/2011 05:24 AM, Kiran Patil wrote:
> Did anybody got it working ?
>
> Please share your experiences with configuration details.
>
> Thanks,
> Kiran.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
Which CAS server implementation you are using?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-04 Thread Kiran Patil 
Did anybody got it working ?

Please share your experiences with configuration details.

Thanks,
Kiran.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-07-29 Thread Adam Young 
In order to authenticate through the firewall you  have to allow kinit 
and kerberos web traffic through, which means opening port 88.  If you 
are unwilling to do that, you need to come up with an authentication 
solution that will pass through firewalls, which means either basic 
auth, digest, or certificates.  IPA has an embeded CA in it (Dogtag) but 
does not yet manage user certificates.


http://pki.fedoraproject.org/wiki/PKI_Main_Page

The approaches for web only single sign on (OpenID, OAuth, SAML and so 
forth)  still require the initial authentication.  Since IPA doesn't 
currently have a solution for that piece, we do not yet support one of 
hte HTTP SSO mechanisms, but it is under discussion.



On 07/29/2011 02:30 AM, Rapid Noreapeat wrote:

Thank you for your quick reply Rob,

I'll try it.

On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden > wrote:


Rapid Noreapeat wrote:

Is it possible to integrate my web applications like portal
website,
helpdesk website, and other web apps login using FreeIPA's login
accounts (SSO) like CAS?


It depends. The FreeIPA SSO is Kerberos-based so you'd need to
provide access to your KDC for this to work. If we're talking
external portal then you may not want to expose your KDC.

It also requires some configuration. Your browser has to be
configured to do Negotiate auth against a given domain.  It will
also need to trust the IPA CA (and since CAS seems at least
partially SSL-based you already handle this).

I don't know much about CAS other than what I just read on their
web site but it looks like they handle redirecting when you aren't
authenticated, seemingly allowing a nice way to mix protected and
unprotected data. I think you'd have to do much of this
configuration yourself in Apache. Probably not a huge amount of
work though.

So it is basically whatever mod_auth_kerb provides.

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-07-28 Thread Rapid Noreapeat 
Thank you for your quick reply Rob,

I'll try it.

On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden wrote:

> Rapid Noreapeat wrote:
>
>> Is it possible to integrate my web applications like portal website,
>> helpdesk website, and other web apps login using FreeIPA's login
>> accounts (SSO) like CAS?
>>
>
> It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide
> access to your KDC for this to work. If we're talking external portal then
> you may not want to expose your KDC.
>
> It also requires some configuration. Your browser has to be configured to
> do Negotiate auth against a given domain.  It will also need to trust the
> IPA CA (and since CAS seems at least partially SSL-based you already handle
> this).
>
> I don't know much about CAS other than what I just read on their web site
> but it looks like they handle redirecting when you aren't authenticated,
> seemingly allowing a nice way to mix protected and unprotected data. I think
> you'd have to do much of this configuration yourself in Apache. Probably not
> a huge amount of work though.
>
> So it is basically whatever mod_auth_kerb provides.
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-07-28 Thread Rob Crittenden 

Rapid Noreapeat wrote:

Is it possible to integrate my web applications like portal website,
helpdesk website, and other web apps login using FreeIPA's login
accounts (SSO) like CAS?


It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide 
access to your KDC for this to work. If we're talking external portal 
then you may not want to expose your KDC.


It also requires some configuration. Your browser has to be configured 
to do Negotiate auth against a given domain.  It will also need to trust 
the IPA CA (and since CAS seems at least partially SSL-based you already 
handle this).


I don't know much about CAS other than what I just read on their web 
site but it looks like they handle redirecting when you aren't 
authenticated, seemingly allowing a nice way to mix protected and 
unprotected data. I think you'd have to do much of this configuration 
yourself in Apache. Probably not a huge amount of work though.


So it is basically whatever mod_auth_kerb provides.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users