Bug 1385724

Summary: [Docs][Admin] Update 3.6 SSO configuration documentation
Product: Red Hat Enterprise Virtualization Manager Reporter: Paul Armstrong <parmstro>
Component: DocumentationAssignee: Tahlia Richardson <trichard>
Status: CLOSED CURRENTRELEASE QA Contact: Megan Lewis <melewis>
Severity: unspecified Docs Contact:
Priority: high    
Version: 3.6.9CC: gklein, lbopf, lsurette, mperina, rbalakri, srevivo, thildred, ykaul, ylavi
Target Milestone: ovirt-3.6.10   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-06 00:54:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Docs RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Armstrong 2016-10-17 15:04:59 UTC 
Description of problem:
SSO configuration documentation incorrectly specifies using: 

ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension 

in the authn properties when trying to SSO
value should be

ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension


Version-Release number of selected component (if applicable):
3.6.x

How reproducible:
Always

Steps to Reproduce:
1. Follow directions at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html
 
OR

2. Follow directions at https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/administration-guide/154-configuring-ldap-and-kerberos-for-single-sign-on


Actual results:
Neither work. User authenticated by IdM is not logged in. There is no error message in any of the logs!

Expected results:
User is logged in correctly...

Additional info:
Changing the authn configuration to use

ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension

corrects the SSO login issue.

Additionally, there should be a way to automatically add the user REALM to the browser drop down to support systems where SSO is not enabled in the browser. Understandable that this may be a corner case requirement, but adding it here for completeness. No mention of the http-mapping file configuration is mentioned. Also the engine throws a whole tonne of Rewrite recursion errors in the http logs ... this can be resolved by adding RewriteBase / in the ovirt-sso.conf file.
Comment 8 Lucy Bopf 2016-11-18 01:20:58 UTC 
Assigning to Tahlia for review.
Comment 13 Tahlia Richardson 2016-12-06 00:54:05 UTC 
Now published at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html