Re: [Freeipa-users] Does FreeIPA support web services SSO gracefully?
On Fri, 2012-05-04 at 11:44 -0400, John Dennis wrote: > On 05/04/2012 11:26 AM, Rob Crittenden wrote: > > Firefox needs to be configured to be allowed to perform Kerberos SSO in > > a domain. FreeIPA 2.2 introduced a forms-based login so you don't have > > to fall back to basic authentication (with KrbMethodK5Passwd on). > > The forms based login applies to the IPA Admin console, the OP was > asking web services other than the IPA admin console, therefore that's > not relevant. > > What is relevant is getting the other web services to use kerberos > negotiate auth instead of whatever they are currently using. The > difficulty of that task really depends on the particular web service. > > The user must also be able to acquire a kerberos ticket. > > So the answer to the OP is, if you can satisfy the following two > conditions then IPA is a graceful solution: > > 1) The web service can be configured to use kerberos negotiate auth. > > 2) Each of your users has a facility available to acquire a kerberos ticket. You can also fall back to basic_auth and even mod_auth_ldap I guess. It's basically a matter of evaluating if you can live with letting other services see the user's password or not. In future we want to add auth mechanisms that do not necessarily depend on Kerberos and will not expose the user password to random services, like OpenID, Oath etc.. but we are not there yet. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does FreeIPA support web services SSO gracefully?
On 05/04/2012 11:26 AM, Rob Crittenden wrote: Firefox needs to be configured to be allowed to perform Kerberos SSO in a domain. FreeIPA 2.2 introduced a forms-based login so you don't have to fall back to basic authentication (with KrbMethodK5Passwd on). The forms based login applies to the IPA Admin console, the OP was asking web services other than the IPA admin console, therefore that's not relevant. What is relevant is getting the other web services to use kerberos negotiate auth instead of whatever they are currently using. The difficulty of that task really depends on the particular web service. The user must also be able to acquire a kerberos ticket. So the answer to the OP is, if you can satisfy the following two conditions then IPA is a graceful solution: 1) The web service can be configured to use kerberos negotiate auth. 2) Each of your users has a facility available to acquire a kerberos ticket. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does FreeIPA support web services SSO gracefully?
cee1 wrote: 2012/5/4 Paul Robert Marino: There is a apache module for kerberos auth that works well two notes about it turn on credential caching because it significantly reduces the load on the kerberos server and keep in mind that internet explorer leaves native kerberos on (you won't get prompted for a user name or password if you hve a valid kerberos ticket) but firefox turns it off by default and I'm not sure about crome. In other words if you leave the default setting in firefox it will use basic auth (clear text password unless you use ssl) to interact with apache and subsequently kerberos. This is a wonderfull way to make a secure authentication mechanisim insecure if you don't use ssl. That said I know for a fact track does work well with kerberos auth. That means if user's browser doesn't support kerberos or with kerberos off by default, it will break SSO, right? Maybe I should try FreeIPA in conjunction with CoSign? Firefox needs to be configured to be allowed to perform Kerberos SSO in a domain. FreeIPA 2.2 introduced a forms-based login so you don't have to fall back to basic authentication (with KrbMethodK5Passwd on). In practice all web-based Kerberos should be protected by SSL. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does FreeIPA support web services SSO gracefully?
2012/5/4 Paul Robert Marino : > There is a apache module for kerberos auth that works well two notes about > it turn on credential caching because it significantly reduces the load on > the kerberos server and keep in mind that internet explorer leaves native > kerberos on (you won't get prompted for a user name or password if you hve a > valid kerberos ticket) but firefox turns it off by default and I'm not sure > about crome. In other words if you leave the default setting in firefox it > will use basic auth (clear text password unless you use ssl) to interact > with apache and subsequently kerberos. This is a wonderfull way to make a > secure authentication mechanisim insecure if you don't use ssl. > That said I know for a fact track does work well with kerberos auth. That means if user's browser doesn't support kerberos or with kerberos off by default, it will break SSO, right? Maybe I should try FreeIPA in conjunction with CoSign? -- Regards, - cee1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does FreeIPA support web services SSO gracefully?
Hi, My experience so far is IPA is, it has a great interface to use but its only suitable for a very simple setup at present IMHO. Everything else ie in a typical complex and diverse enterprise is proving very hard going as it lacks critical mass from users and vendors. The biggest issue I am having is lack of documentation / examples when connecting to any sort of external service or hardware, eg Bluearc's kit, EMC kit, Bluecoat, samba, sendmail etc. Think of this as spending time hacking thingsif you love doing that, if you are happy to be on your own and have a LOT of time, lots of coffee, good mental health insurance, its not mission critical and realistic management expectations to work togo for it. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of cee1 [fykc...@gmail.com] Sent: Thursday, 3 May 2012 9:35 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Does FreeIPA support web services SSO gracefully? Hi all, We have a round of web services(mail, JIRA, trac etc), each has its own account database. We are seeking for a SSO solution, thus users need only to login once and can then access all web services. Does FreeIPA support it gracefully? -- Regards, - cee1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does FreeIPA support web services SSO gracefully?
Yes and no. Not completly natively but in theory yes. Kerberos is the original SSO solution and it works very well but webapps don't always play nice with existing authentication soulutions. Since kerberos 5 is part of freeipa you have a chance to get it workin if they play nice with apaches autentication mechanisims. There is a apache module for kerberos auth that works well two notes about it turn on credential caching because it significantly reduces the load on the kerberos server and keep in mind that internet explorer leaves native kerberos on (you won't get prompted for a user name or password if you hve a valid kerberos ticket) but firefox turns it off by default and I'm not sure about crome. In other words if you leave the default setting in firefox it will use basic auth (clear text password unless you use ssl) to interact with apache and subsequently kerberos. This is a wonderfull way to make a secure authentication mechanisim insecure if you don't use ssl. That said I know for a fact track does work well with kerberos auth. One warning apache has an ldap authentication module as well, avoid it like the plage unless you like to launch denial of service atacks agianst your own servers. The ldap auth module will query your ldap servers every time a user accesses. A file or cgi on the server, and by file I mean a page with 5 images will query your ldap server at least 6 times every time you access it. The worst part about the ldap auth module in apache is it doesn't ever logout its connectiont to the ldap server as far as I can tell so its a recipie for a sourcerers aprentice syndrome dos atack because of filehandle limitations and the exponential number of connections it opens. Essentiaaly the apache ldap auth module is responsible for many of the claims that cetrrailize auth on linux and unix crash often. On May 3, 2012 5:39 AM, "cee1" wrote: > Hi all, > > We have a round of web services(mail, JIRA, trac etc), each has its > own account database. We are seeking for a SSO solution, thus users > need only to login once and can then access all web services. > > Does FreeIPA support it gracefully? > > > > -- > Regards, > > - cee1 > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
