<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I'm currently fighting with the new mandatory SSO system introduced in 4.0.<div class=""><br class=""></div><div class="">It's also used internally as ovirt-engine is calling himself, as shown in the apache log, to identity himself to himself:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">[2016-08-12 11:30:24] 10.83.16.34 "<a href="http://ovirt.prod.exalead.com" class="">ovirt.prod.exalead.com</a>" "POST /ovirt-engine/sso/status HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92"</span></div></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">[2016-08-12 10:55:49] 10.83.16.34 "<a href="http://ovirt.prod.exalead.com" class="">ovirt.prod.exalead.com</a>" "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" "Java/1.8.0_92"</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div></span></div><div class="">But the sso will be acceded by human too:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">[2016-08-12 11:29:27] 192.168.205.59 "<a href="http://ovirt.prod.exalead.com" class="">ovirt.prod.exalead.com</a>" "GET /ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + - "<a href="https://ovirt.prod.exalead.com/ovirt-engine/" class="">https://ovirt.prod.exalead.com/ovirt-engine/</a>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"</span></div></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><br class=""></div><div class="">I'm using a custom apache configuration, as I need that to better integrate ovirt in our running SSO and PKI setup.</div><div class=""><br class=""></div><div class="">So under SSO I wonder which part needs to be protected using our own SSO, and what part can be open to any access, and the internal security of ovirt will manage it ?</div><div class=""><br class=""></div><div class="">In&nbsp;<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1342192" class="">https://bugzilla.redhat.com/show_bug.cgi?id=1342192</a>, it seems for me that&nbsp;<span style="white-space: pre-wrap;" class="">^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) needs to be protected. Am i right ?</span></div><div class=""><br class=""></div><div class="">In my log, I've seen access to:</div><div class=""><br class="">/ovirt-engine/sso/status<br class="">/ovirt-engine/sso/oauth/token-info<br class="">/ovirt-engine/webadmin/sso/oauth2-callback<br class="">/ovirt-engine/webadmin/sso/login<br class="">/ovirt-engine/sso/oauth/token<br class="">/ovirt-engine/sso/oauth/authorize<br class="">/ovirt-engine/sso/interactive-redirect-to-module<br class="">/ovirt-engine/sso/interactive-login-next-auth<br class="">/ovirt-engine/sso/interactive-login-negotiate/ovirt-auth</div></body></html>