ENGINE_SSO_AUTH_URL configuration
Hi Team, I want oVirt to point to my Authentication / Authorization HTTP URL, so I modified the following property in */etc/ovirt-engine/engine.conf.d/11-setup-sso.conf* #ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso" ENGINE_SSO_AUTH_URL="http://172.30.39.176:9090/api/auth/sso" #SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/" SSO_ENGINE_URL="http://172.30.39.176:9090/api/auth/" I verified in the log and found the following message : engine.log:2018-07-04 15:12:46,238+05 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 42) [] Value of property 'ENGINE_SSO_AUTH_URL' is ' http://172.30.39.176:9090/api/auth/sso'. engine.log:2018-07-04 15:12:46,244+05 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService Thread Pool -- 42) [] Value of property 'SSO_ENGINE_URL' is ' http://172.30.39.176:9090/api/auth/'. But still it is not point to my Authentication URL, Is there any other change we need to make to point the oVirt Authentication to my HTTP URL? Thanks, Hari
On Wed, Jul 4, 2018 at 12:02 PM, Hari Prasanth Loganathan < hariprasanth.l@msystechnologies.com> wrote:
Hi, what exactly are you trying to achieve? To change URL where engine is available or to replace existing oVirt SSO module with custom implementation? If the latter, then this is not supported. But if you need to configure additional authentication methods, for example kerberos SSO or CAS, you can do this using combination of Apache with relevant modules + ovirt-engine-extension-aaa-ldap/ovirt-engine-extension-aaa-misc packages: https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README https://github.com/oVirt/ovirt-engine-extension-aaa-misc/blob/master/README.... https://www.ovirt.org/blog/2016/04/sso/ Regards Martin
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
On Wed, Jul 4, 2018 at 1:54 PM, Hari Prasanth Loganathan < hariprasanth.l@msystechnologies.com> wrote:
There's no way how to replace oVirt SSO with different implementation, you need to use oVirt token. But other than relying on Apache you could also configure your application as OpenID Connect client to oVirt SSO similarly as it's described for Kibana/Elastic search integration: https://www.ovirt.org/blog/2017/05/openshift-openId-integration-with-engine-... Then you would have only single token for both your application and oVirt
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
Hi Martin, Thanks for pointing this url. 1) Based on this post, I created a client id using the 'ovirt-register-sso-client-tool' select * from sso_clients; 3 | *test* | eyJhcnRpZmFjdCI6IkVudmVsb3BlUEJFIiwic2FsdCI6IjFuYktJa3JrWEFCc2R5NzNnNFIrc09NWitGNHI1dW5UY2s1U2t3cWlCMGs9Iiwic2VjcmV0 IjoiRTVwNExDQXpxenhGSHFxdmQwNDhTNDRkN3dNMEwrZVQrYTZlK3lXR044VT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3JpdGhtIjoiUEJLREYyV2l0aEh tYWNTSEExIn0= | http://172.30.39.176:9090/api/auth/sso | /root/ssl/ssl/certificate.pem | | oVirt Engine Client | | openid ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity ovirt-ex t=token:password-access ovirt-ext=auth:sequence-priority ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search ovirt-ext=token-info :public-authz-search ovirt-ext=token-info:validate ovirt-ext=revoke:revoke-all | t | TLS | f | t I will store this sso_client information in my application too. 2) Is it possible to use *JUST* this 'client_id' and 'client_secret' to communicate from my application to oVirt instead of oVirt token? I mean like My_Application ---> (using client id - test) oVirt API Thanks, Hari On Wed, Jul 4, 2018 at 5:32 PM, Martin Perina <mperina@redhat.com> wrote:
On Wed, Jul 4, 2018 at 3:06 PM, Hari Prasanth Loganathan < hariprasanth.l@msystechnologies.com> wrote:
I don't think so, the client id/secret is used only to authenticate OIDC client to the OIDC server, and not real client to the application using SSO. But leaving this final answer to this question to Ravi, he is our expert on OIDC. Ravi?
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
In short, it is not possible to replace engine sso service with an out of the box oauth2 or OIDC end point. We have a few custom end points that improve the performance of engine and also help with authz searches which is used to assign permissions to users/groups on engine side. On Wed, Jul 4, 2018 at 10:12 AM, Martin Perina <mperina@redhat.com> wrote:
participants (3)
-
Hari Prasanth Loganathan -
Martin Perina -
Ravi Shankar Nori