Bug 2069202

Summary: [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD
Product: Red Hat Enterprise Linux 9 Reporter: Alexander Bokovoy <abokovoy>
Component: ipaAssignee: Alexander Bokovoy <abokovoy>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Josip Vilicic <jvilicic>
Priority: unspecified    
Version: 9.1CC: aboscatt, amore, atikhono, erich.birngruber, frenaud, ftrivino, gfialova, jvilicic, myusuf, pasik, rcritten, spoore, tscherf, vvanhaft
Target Milestone: rcKeywords: FutureFeature, TechPreview, Triaged
Target Release: ---Flags: jvilicic: needinfo+
pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.10-1.el9 Doc Type: Technology Preview
Doc Text:
.RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview In RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 9.1 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP. Notable features include: * Adding, modifying, and deleting references to external IdPs with `ipa idp-*` commands * Enabling IdP authentication for users with the `ipa user-mod --user-auth-type=idp` command For additional information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_using-external-identity-providers-to-authenticate-to-idm_managing-users-groups-hosts[Using external identity providers to authenticate to IdM].
 Story Points: ---
Clone Of:
: 2101770 (view as bug list) Environment:
Last Closed: 2022-11-15 10:00:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2056482    
Bug Blocks:    

Description Alexander Bokovoy 2022-03-28 13:13:48 UTC 
Via bug 2056482, SSSD adds client and KDC sides of a preauthentication mechanism to MIT Kerberos to authenticate against externally hosted identity provider (IdP) with OAuth2 protocol. The preauthentication mechanism is called 'idp'.

'idp' preauthentication mechanism relies on KDC side on the code in FreeIPA KDB driver, currently being developed at https://github.com/abbra/freeipa/tree/external-idp. The code will eventually be merged into FreeIPA upstream and represents both KDB driver development and IPA management around IdP entities. IdP entities are modeled after RADIUS proxy support already present in FreeIPA.

This bug tracks integration of initial support for the external IdPs of FreeIPA in RHEL.
Comment 2 Alexander Bokovoy 2022-05-10 13:05:25 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/79a4073730a8fe5ba2424f3896a2fd440c17ac9e
https://pagure.io/freeipa/c/0484949b80d477ad858274b799ea1f48f2eec20a
https://pagure.io/freeipa/c/fd19bdfd54e674361b9dadd3792780406c8d82d6
https://pagure.io/freeipa/c/10e18c3dc732a52d173e803970f6eb53dd9b6087
https://pagure.io/freeipa/c/03a905eed92083b1edea634ce50fcc9dbeb34b5b
https://pagure.io/freeipa/c/3f6656e09a528b3f54281d77a6226231ac1c0f51
https://pagure.io/freeipa/c/a1be4fc86390559e6464fb31b76a4595da9f5465
https://pagure.io/freeipa/c/94f7d31d2dc725ebcb5a6859d32d602935c1b3b3
https://pagure.io/freeipa/c/429e523de675f86accd8667287cc468c8f9d1872
https://pagure.io/freeipa/c/82175da4b1c91516495a4f38a46a08ccfca4cd75
https://pagure.io/freeipa/c/543040a71d09710f817b29076cb7aa86d3014a02
https://pagure.io/freeipa/c/b5be7f2948f72b93fc418eb2697fe96efe14a11f
=== Tickets fixed ===
https://pagure.io/freeipa/issue/8803
https://pagure.io/freeipa/issue/8804
https://pagure.io/freeipa/issue/8805
Comment 3 Alexander Bokovoy 2022-05-10 20:10:45 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/42afcc95be0292dd0dbdf955dbe0e8e3a683782e
https://pagure.io/freeipa/c/8d81338cb94a2d850f53629ebba98a1f1ec90d1e
https://pagure.io/freeipa/c/1df7b82ac188650775703dc95530017c969d0bff
https://pagure.io/freeipa/c/2136bd5d00f7aed5ae722ff8253c2b74ba444972
https://pagure.io/freeipa/c/b77015b7a3b627282560253cf2cd579c89f02923
https://pagure.io/freeipa/c/bf8e2bb99f1c09ced820bd4bf6e9d7832db2caea
https://pagure.io/freeipa/c/673478b1cf9950aed755a6a9ae8f81cb323932b3
https://pagure.io/freeipa/c/51a4e42dd777661addd4f2fed1654ee978e8a4d7
https://pagure.io/freeipa/c/660c3dc2491fc2ee01031c1c59db6e0bb025bf93
https://pagure.io/freeipa/c/d0eab8fe7609fea0b46ea863db1822eca1daac63
https://pagure.io/freeipa/c/d49aa7103bacba60bae28f32bd76d9d35853626b
https://pagure.io/freeipa/c/5f9e0d3ff3bd80b75bc9f5de97e7e086ba0a31e3
=== Tickets fixed ===
https://pagure.io/freeipa/issue/8803
https://pagure.io/freeipa/issue/8804
https://pagure.io/freeipa/issue/8805
Comment 7 Florence Blanc-Renaud 2022-06-22 19:01:57 UTC 
Tests added upstream in ipatests/test_integration/test_idp.py

master:

    5ca4e8e pr-ci definitions: add external idp related jobs.
    9cc703f ipatests: Add integration tests for External IdP support

    a80a981 ipatests: update prci definitions for test_idp.py
    bd57ff3 Add end to end integration tests for external IdP


ipa-4-9:

    b979dd9 ipatests: Add integration tests for External IdP support
    b39f933 pr-ci definitions: add external idp related jobs.
Comment 8 Florence Blanc-Renaud 2022-06-23 11:45:37 UTC 
Tests:
ipa-4-9:

    857713c Add end to end integration tests for external IdP
    50b4d9a ipatests: update prci definitions for test_idp.py
Comment 13 anuja 2022-07-12 08:40:39 UTC 
Verified using nightly compose:

A) Using Versions:
ipa-server-4.10.0-2.el9.x86_64
sssd-idp-2.7.1-2.el9.x86_64

B)) Test result.out
============================= test session starts ==============================
platform linux -- Python 3.9.13, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.13', 'Platform': 'Linux-5.14.0-127.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 6 items

test_integration/test_idp.py::TestIDPKeycloak::test_auth_keycloak_idp PASSED [ 16%]
test_integration/test_idp.py::TestIDPKeycloak::test_auth_hbac PASSED     [ 33%]
test_integration/test_idp.py::TestIDPKeycloak::test_auth_sudo_idp PASSED [ 50%]
test_integration/test_idp.py::TestIDPKeycloak::test_auth_replica PASSED  [ 66%]
test_integration/test_idp.py::TestIDPKeycloak::test_idp_with_services PASSED [ 83%]
test_integration/test_idp.py::TestIDPKeycloak::test_idp_backup_restore PASSED [100%]
Comment 21 errata-xmlrpc 2022-11-15 10:00:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7988