Hi,
I'm glad to hear that you were able to successfully configure aaa-misc
and mod_auth_cas to allow CAS based login for oVirt.
Unfortunately regarding CAS authorization for oVirt I have somewhat bad
news for you. But let me explain the issue a bit:
1. Using aaa-misc we are able to pass only user name of the authenticated
user from apache to ovirt.
2. After that we have authenticated user on oVirt and then we pass
its username to authz extension to fetch full principal record including
group memberships. At the moment we don't pass anything else to authz
extension, just principal name (username).
So here are options how to enable CAS authorization for oVirt:
1. Implement new authz extension which will fetch principal record for CAS
server (if this is possible, I don't know much about CAS)
2. Or implement new authn/authz extensions specific to CAS which will use
CAS API do both authn and authz.
3. Use LDAP as a backend for you CAS server (if possible) and configure
authz part using ovirt-engine-extension-aaa-ldap
4. You could also create an RFE bug on oVirt to add CAS support, but
no promises from me :-) you are the first user asking about CAS support
And of course feel free to ask!
Regards
Martin Perina
[1] http://machacekondra.blogspot.cz/
[2] https://www.youtube.com/watch?v=bSbdqmRNLi0
[3] http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level
[4] https://www.youtube.com/watch?v=9b9WVFsy_yg
[5] http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt
[6] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
[7] https://github.com/oVirt/ovirt-engine-extension-aaa-misc
[8] https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc
----- Original Message -----
> From: "Fabrice Bacchella" <fabrice.bacchella@orange.fr>
> To: Users@ovirt.org
> Sent: Tuesday, March 8, 2016 11:54:13 AM
> Subject: [ovirt-users] ovirt and CAS SSO
>
> I'm trying to add CAS SSO to ovirt.
>
> For authn (authentication),
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put jboss
> behind an Apache with mod_auth_cas.
>
> Now I'm fighting with authz (authorization). CAS provides everything needed
> as header. So I don't need ldap or jdbc extensions. Is there anything done
> about that or do I need to write my own extension ? Is there some
> documentation about that ?
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users