[ovirt-users] Re: ENGINE_SSO_AUTH_URL configuration

On Wed, Jul 4, 2018 at 3:06 PM, Hari Prasanth Loganathan <hariprasanth.l@ msystechnologies.com> wrote: > Hi Martin, > > Thanks for pointing this url. > > 1) Based on this post, I created a client id using the > 'ovirt-register-sso-client-tool' > > > select * from sso_clients; > > 3 | *test* | eyJhcnRpZmFjdCI6IkVudmVsb3BlUE > JFIiwic2FsdCI6IjFuYktJa3JrWEFCc2R5NzNnNFIrc09NWitGNHI1dW5UY2 > s1U2t3cWlCMGs9Iiwic2VjcmV0 > IjoiRTVwNExDQXpxenhGSHFxdmQwNDhTNDRkN3dNMEwrZVQrYTZlK3lXR044 > VT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3Jp > dGhtIjoiUEJLREYyV2l0aEh > tYWNTSEExIn0= | http://172.30.39.176:9090/api/auth/sso | > /root/ssl/ssl/certificate.pem | > > | oVirt Engine Client | | openid > ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity > ovirt-ex > t=token:password-access ovirt-ext=auth:sequence-priority > ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search > ovirt-ext=token-info > :public-authz-search ovirt-ext=token-info:validate > ovirt-ext=revoke:revoke-all | t | TLS | > f > | t > > > > I will store this sso_client information in my application too. > > > 2) Is it possible to use *JUST* this 'client_id' and 'client_secret' to > communicate from my application to oVirt instead of oVirt token? > > I mean like My_Application ---> (using client id - test) oVirt > API > ​I don't think so, the client id/secret is used only to authenticate OIDC client to the OIDC server, and not real client to the application ​using SSO. But leaving this final answer to this question to Ravi, he is our expert on OIDC. Ravi? > > Thanks, > Hari > > > > > > > On Wed, Jul 4, 2018 at 5:32 PM, Martin Perina <mperina(a)redhat.com&gt; wrote: > >> >> >> On Wed, Jul 4, 2018 at 1:54 PM, Hari Prasanth Loganathan < >> hariprasanth.l(a)msystechnologies.com&gt; wrote: >> >>> Okay Thanks Martin. >>> I already come across this blog but curious any way to point the >>> authentication and authorization to my HTTP URL. so that I don't want to >>> depend on the ovirt token. >>> >> >> ​There's no way how to replace oVirt SSO with different implementation, >> you need to use oVirt token. >> >> But other than relying on Apache you could also configure your >> application as OpenID Connect client to oVirt SSO similarly as it's >> described for Kibana/Elastic search integration: >> >> https://www.ovirt.org/blog/2017/05/openshift-openId-integrat >> ion-with-engine-sso/​ >> >> Then you would have only single token for both your application and oVirt >> >> >>> >>> >>> >>> >>> On Wed, Jul 4, 2018 at 5:04 PM, Martin Perina <mperina(a)redhat.com&gt; >>> wrote: >>> >>>> >>>> >>>> On Wed, Jul 4, 2018 at 12:02 PM, Hari Prasanth Loganathan < >>>> hariprasanth.l(a)msystechnologies.com&gt; wrote: >>>> >>>>> Hi Team, >>>>> >>>>> I want oVirt to point to my Authentication / Authorization HTTP URL, >>>>> so I modified the following property in >>>>> */etc/ovirt-engine/engine.conf.d/11-setup-sso.conf* >>>>> >>>>> >>>>> #ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso" >>>>> ENGINE_SSO_AUTH_URL="http://172.30.39.176:9090/api/auth/sso" >>>>> >>>>> #SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/" >>>>> SSO_ENGINE_URL="http://172.30.39.176:9090/api/auth/" >>>>> ​ >>>>> >>>> >>>>> I verified in the log and found the following message : >>>>> >>>>> engine.log:2018-07-04 15:12:46,238+05 INFO >>>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService >>>>> Thread Pool -- 42) [] Value of property 'ENGINE_SSO_AUTH_URL' is ' >>>>> http://172.30.39.176:9090/api/auth/sso';. >>>>> engine.log:2018-07-04 15:12:46,244+05 INFO >>>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService >>>>> Thread Pool -- 42) [] Value of property 'SSO_ENGINE_URL' is ' >>>>> http://172.30.39.176:9090/api/auth/';. >>>>> >>>>> >>>>> But still it is not point to my Authentication URL, Is there any >>>>> other change we need to make to point the oVirt Authentication to my HTTP >>>>> URL? >>>>> >>>> >>>> ​Hi, >>>> >>>> what exactly are you trying to achieve? To change URL where engine is >>>> available or to replace existing oVirt SSO module with custom >>>> implementation? If the latter, then this is not supported. >>>> >>>> But if you need to configure additional authentication methods, for >>>> example kerberos SSO or CAS, you can do this using combination of Apache >>>> with relevant modules + ovirt-engine-extension-aaa-lda >>>> p/ovirt-engine-extension-aaa-misc packages: >>>> >>>> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blo >>>> b/master/README >>>> https://github.com/oVirt/ovirt-engine-extension-aaa-misc/blo >>>> b/master/README.http >>>> https://www.ovirt.org/blog/2016/04/sso/ >>>> >>>> Regards >>>> >>>> Martin >>>> ​ >>>> >>>>> >>>>> Thanks, >>>>> Hari >>>>> >>>>> _______________________________________________ >>>>> Users mailing list -- users(a)ovirt.org >>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>> oVirt Code of Conduct: https://www.ovirt.org/communit >>>>> y/about/community-guidelines/ >>>>> List Archives: https://lists.ovirt.org/archiv >>>>> es/list/users(a)ovirt.org/message/NZKOGON5PKXSE47J25X72WYCOIGOJ3NW/ >>>>> >>>>> >>>> >>>> >>>> -- >>>> Martin Perina >>>> Associate Manager, Software Engineering >>>> Red Hat Czech s.r.o. >>>> >>> >>> >> >> >> -- >> Martin Perina >> Associate Manager, Software Engineering >> Red Hat Czech s.r.o. >> > > -- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.