Description of problem: Current user and admin portal doesn't support SSO. It would be nice to support SSO to user and admin portals. AFAIK it doesn't add any new requirement for installation, because Kerberos have to be in place anyway. It will "just" save single login/password dialog to the user (and will result in more secure authentication...) RHEV-M 3.1 requires Kerberos for directory services to work as stated in https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html-single/Installation_Guide/index.html#sect-Software_Requirements section 2.3.4.2. "Directory Services Support in Red Hat Enterprise Virtualization". Actual results: User is asked for login and password (via web form) before each access to user and admin portals. Expected results: User is automatically logged in when it has Kerberos ticket. Login/password prompt is shown when ticket is not available or is invalid. Additional info: Feel free to contact freeipa-devel with questions about Kerberos integration. Some integration examples can be found at http://freeipa.org/page/HowTos#3rd_party_Applications_Integration Plain libvirt+Kerberos integration is described at http://freeipa.org/page/Libvirt_with_VNC_Consoles
related to bug 570191
*** Bug 971504 has been marked as a duplicate of this bug. ***
Could the existing mod_auth_kerb be used to handle the authentication? We use this with several web sites today and we know it works, both with IPA and with Active Directory at the same time.
We have a design now. http://www.ovirt.org/Features/SSO Alon Bar Lev might know more about when it will be implemented.
Hi Alon, bug#570191 seems to be about: "support Kerberos authentication (for REST API)" or are you suggesting (as per your comment #10 and the reference to http://www.freeipa.org/page/Web_App_Authentication) that in 3.5 we are going to delegate the entire authentication to apache?
(In reply to Luca Miccini from comment #11) > Hi Alon, > > bug#570191 seems to be about: > > "support Kerberos authentication (for REST API)" > > or are you suggesting (as per your comment #10 and the reference to > http://www.freeipa.org/page/Web_App_Authentication) that in 3.5 we are going > to delegate the entire authentication to apache? yes, see bug#1113937 as well. we will release this as technology preview for 3.5.
Support for SSO customization will be available at 3.5.0, see bug#1113937.
Move doc note to block, remove from documentation, no reason to document same feature several times.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0158.html