Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-08 Thread Kiran Patil
 There was no follow up on this so what I am specifically interested is
 how CAS server integrates with external servers. Does it have some sort
 of pluggable interface like PAM? Even if it does it is probably
 implementation specific. So is it just a configuration issue to
 configure the auth sources or auth providers like IPA have to actually
 build a special provider module?
 If it is a config issue it might be something that we can try and
 document as a solution. If it requires development I want to understand
 what is the cost and benefits. It is unclear how widely CAS is used in
 general and is there one most popular implementation that we should
 focus on in future.



I found this article
http://www.computerworld.com/s/article/9218973/5_cool_tools_for_cloud_management?taxonomyId=154pageNumber=1;

http://www.symplified.com/main/what-we-do-for-you/products/SSO/

Thanks,
Kiran.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-04 Thread Dmitri Pal
On 08/04/2011 05:24 AM, Kiran Patil wrote:
 Did anybody got it working ?

 Please share your experiences with configuration details.

 Thanks,
 Kiran.

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


Which CAS server implementation you are using?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-04 Thread Kiran Patil

 Which CAS server implementation you are using?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.


Sorry, I picked the subject from one of the earlier thread of FreeIPA user list.

Right now we are evaluating different solutions.

We found that FreeIPA project interesting, which provides all in one
solution which is backed by Redhat and community members.

I have also seen a enhancement request of SAML in FreeIPA
(https://fedorahosted.org/freeipa/ticket/1275).

I wanted to know, since
RapidNoreapeat(https://www.redhat.com/archives/freeipa-users/2011-July/msg00103.html)
has raised this question earlier, that he is succeeded in implementing
the solution.

Thanks,
Kiran Patil.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-08-04 Thread Dmitri Pal
On 08/04/2011 11:07 AM, Kiran Patil wrote:
 Which CAS server implementation you are using?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.

 Sorry, I picked the subject from one of the earlier thread of FreeIPA user 
 list.

 Right now we are evaluating different solutions.

 We found that FreeIPA project interesting, which provides all in one
 solution which is backed by Redhat and community members.

 I have also seen a enhancement request of SAML in FreeIPA
 (https://fedorahosted.org/freeipa/ticket/1275).

 I wanted to know, since
 RapidNoreapeat(https://www.redhat.com/archives/freeipa-users/2011-July/msg00103.html)
 has raised this question earlier, that he is succeeded in implementing
 the solution.


There was no follow up on this so what I am specifically interested is
how CAS server integrates with external servers. Does it have some sort
of pluggable interface like PAM? Even if it does it is probably
implementation specific. So is it just a configuration issue to
configure the auth sources or auth providers like IPA have to actually
build a special provider module?
If it is a config issue it might be something that we can try and
document as a solution. If it requires development I want to understand
what is the cost and benefits. It is unclear how widely CAS is used in
general and is there one most popular implementation that we should
focus on in future.

 Thanks,
 Kiran Patil.

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-07-29 Thread Rapid Noreapeat
Thank you for your quick reply Rob,

I'll try it.

On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden rcrit...@redhat.comwrote:

 Rapid Noreapeat wrote:

 Is it possible to integrate my web applications like portal website,
 helpdesk website, and other web apps login using FreeIPA's login
 accounts (SSO) like CAS?


 It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide
 access to your KDC for this to work. If we're talking external portal then
 you may not want to expose your KDC.

 It also requires some configuration. Your browser has to be configured to
 do Negotiate auth against a given domain.  It will also need to trust the
 IPA CA (and since CAS seems at least partially SSL-based you already handle
 this).

 I don't know much about CAS other than what I just read on their web site
 but it looks like they handle redirecting when you aren't authenticated,
 seemingly allowing a nice way to mix protected and unprotected data. I think
 you'd have to do much of this configuration yourself in Apache. Probably not
 a huge amount of work though.

 So it is basically whatever mod_auth_kerb provides.

 rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-07-29 Thread Adam Young
In order to authenticate through the firewall you  have to allow kinit 
and kerberos web traffic through, which means opening port 88.  If you 
are unwilling to do that, you need to come up with an authentication 
solution that will pass through firewalls, which means either basic 
auth, digest, or certificates.  IPA has an embeded CA in it (Dogtag) but 
does not yet manage user certificates.


http://pki.fedoraproject.org/wiki/PKI_Main_Page

The approaches for web only single sign on (OpenID, OAuth, SAML and so 
forth)  still require the initial authentication.  Since IPA doesn't 
currently have a solution for that piece, we do not yet support one of 
hte HTTP SSO mechanisms, but it is under discussion.



On 07/29/2011 02:30 AM, Rapid Noreapeat wrote:

Thank you for your quick reply Rob,

I'll try it.

On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden rcrit...@redhat.com 
mailto:rcrit...@redhat.com wrote:


Rapid Noreapeat wrote:

Is it possible to integrate my web applications like portal
website,
helpdesk website, and other web apps login using FreeIPA's login
accounts (SSO) like CAS?


It depends. The FreeIPA SSO is Kerberos-based so you'd need to
provide access to your KDC for this to work. If we're talking
external portal then you may not want to expose your KDC.

It also requires some configuration. Your browser has to be
configured to do Negotiate auth against a given domain.  It will
also need to trust the IPA CA (and since CAS seems at least
partially SSL-based you already handle this).

I don't know much about CAS other than what I just read on their
web site but it looks like they handle redirecting when you aren't
authenticated, seemingly allowing a nice way to mix protected and
unprotected data. I think you'd have to do much of this
configuration yourself in Apache. Probably not a huge amount of
work though.

So it is basically whatever mod_auth_kerb provides.

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-07-28 Thread Rob Crittenden

Rapid Noreapeat wrote:

Is it possible to integrate my web applications like portal website,
helpdesk website, and other web apps login using FreeIPA's login
accounts (SSO) like CAS?


It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide 
access to your KDC for this to work. If we're talking external portal 
then you may not want to expose your KDC.


It also requires some configuration. Your browser has to be configured 
to do Negotiate auth against a given domain.  It will also need to trust 
the IPA CA (and since CAS seems at least partially SSL-based you already 
handle this).


I don't know much about CAS other than what I just read on their web 
site but it looks like they handle redirecting when you aren't 
authenticated, seemingly allowing a nice way to mix protected and 
unprotected data. I think you'd have to do much of this configuration 
yourself in Apache. Probably not a huge amount of work though.


So it is basically whatever mod_auth_kerb provides.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users