Bug 1131443

Summary: [RFE] Support SAML for authenticating users on the RHEV User Portal
Product: Red Hat Enterprise Virtualization Manager Reporter: Tim Speetjens <tspeetje>
Component: RFEsAssignee: Scott Herold <sherold>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alonbl, anande, bazulay, ecohen, iheim, lpeer, mperina, oourfali, rbalakri, sherold, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.5.0Flags: sherold: Triaged+
Hardware: All   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-27 06:06:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Speetjens 2014-08-19 10:17:09 UTC 
Description of problem:

Support SAML authentication systems, for password-less login into user portal
Comment 10 Barak 2014-08-26 11:19:10 UTC 
is it a duplicate of Bug 1092744
Comment 11 Alon Bar-Lev 2014-08-26 17:01:06 UTC 
(In reply to Barak from comment #10)
> is it a duplicate of Bug 1092744

not exactly, integrate with SAML can be done in 3.5 based on aaa extensions. whether we will integrate out of the box with SAML in 3.6 or later is a different question.
Comment 16 Itamar Heim 2014-09-21 10:20:23 UTC 
Alon - can we give instructions how to test this with 3.5 for SAML for SSO to portals, not sso to VMs?
Tim - can customer check this during 3.5 beta cycle?
Comment 17 Alon Bar-Lev 2014-09-21 10:27:30 UTC 
(In reply to Itamar Heim from comment #16)
> Alon - can we give instructions how to test this with 3.5 for SAML for SSO
> to portals, not sso to VMs?
> Tim - can customer check this during 3.5 beta cycle?

Never tried it.
But if configuration of mod_auth_saml[1] is intact and provide authenticated user within REMOTE_USER, then it should not be different from mod_auth_kerb[2] configuration.

If the mod_auth_saml is insufficient an authn extension can be implemented to support that, this requires development work vs the integration above.

I will be happy to work with anyone establish saml environment and working mod_auth_saml configuration to integrate it with ovirt-engine.

[1] http://www.zxid.org/html/mod_auth_saml.html
[2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l129
Comment 18 Alon Bar-Lev 2014-12-17 12:34:07 UTC 
this can be done in 3.5 per comment#17, suggest to close as NEXT_RELEASE.