On 11 March 2016 at 11:55, Martin Perina <mperina@redhat.com> wrote:
Hi,

I'm glad to hear that you were able to successfully configure aaa-misc
and mod_auth_cas to allow CAS based login for oVirt.

Unfortunately regarding CAS authorization for oVirt I have somewhat bad
news for you. But let me explain the issue a bit:

1. Using aaa-misc we are able to pass only user name of the authenticated
   user from apache to ovirt.

2. After that we have authenticated user on oVirt and then we pass
   its username to authz extension to fetch full principal record including
   group memberships. At the moment we don't pass anything else to authz
   extension, just principal name (username).

So here are options how to enable CAS authorization for oVirt:

1. Implement new authz extension which will fetch principal record for CAS
   server (if this is possible, I don't know much about CAS)

2. Or implement new authn/authz extensions specific to CAS which will use
   CAS API do both authn and authz.

3. Use LDAP as a backend for you CAS server (if possible) and configure
   authz part using ovirt-engine-extension-aaa-ldap

4. You could also create an RFE bug on oVirt to add CAS support, but
   no promises from me :-) you are the first user asking about CAS support


err, no I asked about it about 18 months ago on this very list and got no response.  So in a way they are the first to ask and actually get a response.



 

And of course feel free to ask!

Regards

Martin Perina

[1] http://machacekondra.blogspot.cz/
[2] https://www.youtube.com/watch?v=bSbdqmRNLi0
[3] http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level
[4] https://www.youtube.com/watch?v=9b9WVFsy_yg
[5] http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt
[6] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
[7] https://github.com/oVirt/ovirt-engine-extension-aaa-misc
[8] https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc

----- Original Message -----
> From: "Fabrice Bacchella" <fabrice.bacchella@orange.fr>
> To: Users@ovirt.org
> Sent: Tuesday, March 8, 2016 11:54:13 AM
> Subject: [ovirt-users] ovirt and CAS SSO
>
> I'm trying to add CAS SSO to ovirt.
>
> For authn (authentication),
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put jboss
> behind an Apache with mod_auth_cas.
>
> Now I'm fighting with authz (authorization). CAS provides everything needed
> as header. So I don't need ldap or jdbc extensions. Is there anything done
> about that or do I need to write my own extension ? Is there some
> documentation about that ?
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users