Bug 1199091

Summary: [RFE] enhance external authentication capabilities with SAML 2.0
Product: Red Hat Satellite Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: AuthenticationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1.0CC: ahumbe, bkearney, cyril.cordouibarzi, dpal, eminguez, gapatil, jpazdziora, kkohli, mhulan, onerleka, patdung100+redhat, rbertolj, riehecky, stbenjam, sudharsan.omprakash, vkabatov
Target Milestone: UnspecifiedKeywords: FutureFeature, Reopened
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-13 00:18:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2015-03-05 13:09:57 UTC 
Description of problem:

For External Authentication, Satellite 6 has a way of using feature in connection with SSSD on IPA-enrolled machine. 

Can we enable SSO using an external SAML 2.0 Identity Provider.

Version-Release number of selected component (if applicable):

Satellite 6.12

How reproducible:

Deterministic.

Steps to Reproduce:
1. Attempt to configure Satellite 6 to consume external authentication/users via SAML 2.0

Actual results:

Currently there is no option available in Red Hat Satellite to configure SSO using an external SAML 2 Identity Provider

Expected results:

Able to Configure SSO using an external SAML 2 Identity Provider

Additional info:
Comment 1 RHEL Program Management 2015-03-05 13:23:20 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Jan Pazdziora (Red Hat) 2015-05-20 06:23:37 UTC 
For the record, if mod_auth_mellon based on https://github.com/UNINETT/mod_auth_mellon/commit/fc0aaef5bbf5d49e1b114f732625fb3439375e87 or later is used, the following configuration seems to work for Foreman and Ipsilon client, kindly provided by Nathan K.:

LoadModule auth_mellon_module modules/mod_auth_mellon.so

<Location />
  MellonEnable "info"
  MellonSPPrivateKeyFile /etc/httpd/saml2/https_${HOSTNAME}.key
  MellonSPCertFile /etc/httpd/saml2/https_${HOSTNAME}.cert
  MellonSPMetadataFile /etc/httpd/saml2/https_${HOSTNAME}.xml
  MellonIdPMetadataFile /etc/httpd/saml2/idp-metadata.xml
  MellonEndpointPath /saml2
  MellonIdP "IDP"
  MellonEnvVarsIndexStart 1
  MellonEnvVarsSetCount On
  MellonMergeEnvVars On ":"
  MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
  MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" givenname
  MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" surname
  MellonSetEnvNoPrefix "REMOTE_USER_GROUP" groups
</Location>

<Location /users/extlogin>
  SSLRequireSSL
  AuthType "Mellon"
  MellonEnable "auth"
  ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>'
  # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
  ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>'
</Location>

The login_delegation_logout_url should then be set to https://$(hostname)/saml2/logout?ReturnTo=https://$(hostname)/users/extlogout.
Comment 6 Bryan Kearney 2016-07-08 20:32:29 UTC 
Per 6.3 planning, moving out non acked bugs to the backlog
Comment 8 Stephen Benjamin 2016-10-13 16:13:17 UTC 
Created redmine issue http://projects.theforeman.org/issues/16916 from this bug
Comment 10 sudharsan.omprakash 2018-06-12 14:50:42 UTC 
As a red hat customer, we recently initiated the Satellite 6.3 deployment. Adding to security features, we wanted to enable the SSO for this purpose we need Satellite to have SAML feature. So what is the current status and when can we expect this to be released.
Comment 11 Bryan Kearney 2018-09-04 19:21:45 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.
Comment 14 Brad Buckingham 2023-05-08 12:47:51 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 15 Brad Buckingham 2023-06-13 00:18:00 UTC 
Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.
Comment 16 Red Hat Bugzilla 2023-10-12 04:25:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days