Hi All,

Please find design document [1] for integrating ovirt-engine with Keycloak using mod_auth_openidc. Engine can be configured to use external IDP to handle user authentication while still supporting Rest API bearer authentication.

There are some changes to how clients will obtain tokens to use for bearer authentication. All clients need to request tokens from the external IDP and use it to access engine. When external authentication is enabled admin@internal and all internal profiles for authentication are disabled. Please see the design document for more details.

Thanks

Ravi

[1] https://docs.google.com/document/d/1Wio7bQNeNinx7Luj5t-KpsSYQ2Z1Y0I8UhUyJAZOjxE/edit?usp=sharing

Integration Issues that need attention

1. Ovirt-engine Python, Java and Ruby SDKs need to be modified to obtain token from either engine SSO or external OpenID Connect IDP.
2. OVN if we are not using SDK needs to be modified to obtain token from either engine SSO or external OpenID Connect IDP.
3. OVN changes needed to config user admin@internal. admin@internal access will be disabled if external integration is enabled. So OVN needs to be configurable to use another user for REST API access.
4. Ansible is using SDK, if SDK is fixed to use a file the file needs to passed from ansible to SDK.
5. Cloudforms and Satellite are using Ruby SDK, we need to file a bug to fix the issue. The file with the details of external IDP URL and client-id and client-secret needs to be passed to SDK.
6. REST API SDK V3 is not going to work with password and negotiate authentication
7. VM Single Sign-on will not work as we don’t have a password.
8. VM Console needs to work, if VM console is using token and bearer authentication everything should work