[ovirt-users] ovirt and CAS SSO

Martin Perina mperina at redhat.com
Fri Mar 11 16:55:41 UTC 2016 

Hi,

I'm glad to hear that you were able to successfully configure aaa-misc
and mod_auth_cas to allow CAS based login for oVirt.

Unfortunately regarding CAS authorization for oVirt I have somewhat bad
news for you. But let me explain the issue a bit:

1. Using aaa-misc we are able to pass only user name of the authenticated
   user from apache to ovirt.

2. After that we have authenticated user on oVirt and then we pass
   its username to authz extension to fetch full principal record including
   group memberships. At the moment we don't pass anything else to authz
   extension, just principal name (username).

So here are options how to enable CAS authorization for oVirt:

1. Implement new authz extension which will fetch principal record for CAS
   server (if this is possible, I don't know much about CAS)

2. Or implement new authn/authz extensions specific to CAS which will use
   CAS API do both authn and authz.

3. Use LDAP as a backend for you CAS server (if possible) and configure
   authz part using ovirt-engine-extension-aaa-ldap

4. You could also create an RFE bug on oVirt to add CAS support, but
   no promises from me :-) you are the first user asking about CAS support

Regarding documentation:

  - oVirt engine extensions API JavaDoc is contained in package
    ovirt-engine-extensions-api-impl-javadoc

  - Ondra wrote some great articles about oVirt AAA configurations and
    published them on his blog [1]

  - You can also take a look at some presentations about oVirt extensions:

      The New oVirt Extension API: Taking AAA to the next level [2] [3]
      oVirt Extension API: The first step for fully modular oVirt [4] [5]

  - And you can also take a look at sources of existing aaa-ldap [6],
    aaa-misc [7] and aaa-jdbc [8] extensions
    
And of course feel free to ask!

Regards

Martin Perina

[1] http://machacekondra.blogspot.cz/
[2] https://www.youtube.com/watch?v=bSbdqmRNLi0
[3] http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level
[4] https://www.youtube.com/watch?v=9b9WVFsy_yg
[5] http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt
[6] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
[7] https://github.com/oVirt/ovirt-engine-extension-aaa-misc
[8] https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc

----- Original Message -----
> From: "Fabrice Bacchella" <fabrice.bacchella at orange.fr>
> To: Users at ovirt.org
> Sent: Tuesday, March 8, 2016 11:54:13 AM
> Subject: [ovirt-users] ovirt and CAS SSO
> 
> I'm trying to add CAS SSO to ovirt.
> 
> For authn (authentication),
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put jboss
> behind an Apache with mod_auth_cas.
> 
> Now I'm fighting with authz (authorization). CAS provides everything needed
> as header. So I don't need ldap or jdbc extensions. Is there anything done
> about that or do I need to write my own extension ? Is there some
> documentation about that ?
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list