[ovirt-users] ovirt and CAS SSO
Alastair Neil
ajneil.tech at gmail.com
Mon Mar 14 14:59:35 UTC 2016
On 11 March 2016 at 11:55, Martin Perina <mperina at redhat.com> wrote:
> Hi,
>
> I'm glad to hear that you were able to successfully configure aaa-misc
> and mod_auth_cas to allow CAS based login for oVirt.
>
> Unfortunately regarding CAS authorization for oVirt I have somewhat bad
> news for you. But let me explain the issue a bit:
>
> 1. Using aaa-misc we are able to pass only user name of the authenticated
> user from apache to ovirt.
>
> 2. After that we have authenticated user on oVirt and then we pass
> its username to authz extension to fetch full principal record including
> group memberships. At the moment we don't pass anything else to authz
> extension, just principal name (username).
>
> So here are options how to enable CAS authorization for oVirt:
>
> 1. Implement new authz extension which will fetch principal record for CAS
> server (if this is possible, I don't know much about CAS)
>
> 2. Or implement new authn/authz extensions specific to CAS which will use
> CAS API do both authn and authz.
>
> 3. Use LDAP as a backend for you CAS server (if possible) and configure
> authz part using ovirt-engine-extension-aaa-ldap
>
> 4. You could also create an RFE bug on oVirt to add CAS support, but
> no promises from me :-) you are the first user asking about CAS support
>
err, no I asked about it about 18 months ago on this very list and got no
response. So in a way they are the first to ask and actually get a
response.
>
> And of course feel free to ask!
>
> Regards
>
> Martin Perina
>
> [1] http://machacekondra.blogspot.cz/
> [2] https://www.youtube.com/watch?v=bSbdqmRNLi0
> [3]
> http://www.slideshare.net/MartinPeina/the-new-ovirt-extension-api-taking-aaa-authentication-authorization-accounting-to-the-next-level
> [4] https://www.youtube.com/watch?v=9b9WVFsy_yg
> [5]
> http://www.slideshare.net/MartinPeina/ovirt-extension-api-the-first-step-for-fully-modular-ovirt
> [6] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap
> [7] https://github.com/oVirt/ovirt-engine-extension-aaa-misc
> [8] https://github.com/oVirt/ovirt-engine-extension-aaa-jdbc
>
> ----- Original Message -----
> > From: "Fabrice Bacchella" <fabrice.bacchella at orange.fr>
> > To: Users at ovirt.org
> > Sent: Tuesday, March 8, 2016 11:54:13 AM
> > Subject: [ovirt-users] ovirt and CAS SSO
> >
> > I'm trying to add CAS SSO to ovirt.
> >
> > For authn (authentication),
> > org.ovirt.engineextensions.aaa.misc.http.AuthnExtension is OK, I put
> jboss
> > behind an Apache with mod_auth_cas.
> >
> > Now I'm fighting with authz (authorization). CAS provides everything
> needed
> > as header. So I don't need ldap or jdbc extensions. Is there anything
> done
> > about that or do I need to write my own extension ? Is there some
> > documentation about that ?
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160314/204131a5/attachment-0001.html>
More information about the Users
mailing list