Bug 1018927 - SAML support for Fedora accounts
SAML support for Fedora accounts
Status: CLOSED NEXTRELEASE
Product: Bugzilla
Classification: Community
Component: Bugzilla General (Show other bugs)
4.4
Unspecified Unspecified
unspecified Severity unspecified (vote)
: ---
: ---
Assigned To: Jeff Fearn
tools-bugs
:
Depends On: 1125081
Blocks: 1266821
  Show dependency treegraph
 
Reported: 2013-10-14 13:41 EDT by Kevin Fenzi
Modified: 2016-10-12 22:55 EDT (History)
8 users (show)

See Also:
Fixed In Version: 5.0.3-rh8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-12 06:59:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin Fenzi 2013-10-14 13:41:53 EDT
Fedora Project would love to have openid support available for Fedora and Fedora EPEL maintainers, users and qa folks to use with our Fedora openid provider. 

Pros: 

* Would allow users to authenticate to our openid provider, so they don't need to create/maintain another login/password in bugzilla. 

* Would allow us to not have to maintain a script to sync permissions for fedora contributors that need permissions (openid could just return that group information to bugzilla). Would reduce load running that script all the time. 

* If we allow any openid provider, it would allow a lower barrier to entry to file bugs for new users (no need to create a bugzilla account, just use openid) while still giving us an email address to contact the user via. This might be a nice PR win making us more accessable. Might also allow more upstream folks to comment since they don't need to make an account. 

Cons: 

* would be a non upstreamed plugin to maintain. 

* would need to make sure it does not affect/change any groups that are not Fedora related. 

We would of course want to restrict the groups that openid would be allowed to authenticate a user for to only Fedora related ones. All RHEL or other groups would still need to keep their own accounts, etc. 

Upstream bugzilla seems to have moved to 'persona' support. This could work with our provider, but it's not ideal as it's only email address (no group information). 

There's a openid plugin at: 

https://github.com/jalcine/bugzilla-openid
and more information about upstream and openid at: 
https://wiki.mozilla.org/Bugzilla:OpenID_Auth_Plugin

Happy to answer questions or provide more information on this. 

Thanks for your consideration.
Comment 1 Patrick Uiterwijk 2013-10-14 13:46:21 EDT
In case of any questions regarding OpenID implementation in the Fedora Infrastructure, I can provide any info wanted on that.
Comment 2 Kevin Fenzi 2014-04-09 17:06:59 EDT
Just as an update here, our fedoauth provider now fully supports persona. 

I don't know if that would do everything we need, but if it's easier from a support side we could investigate that? I know Patrick would be happy to answer any questions around that.
Comment 3 Jason Tibbitts 2015-08-14 00:19:38 EDT
Was looking to see if anyone had requested, but.... 1125081 is private.
Comment 4 Jason McDonald 2015-08-14 01:11:17 EDT
(In reply to Jason Tibbitts from comment #3)
> Was looking to see if anyone had requested, but.... 1125081 is private.

1125081 is a similar request for authenticating another group of users via another auth mechanism. That means that we'll need to implement this in a way that supports multiple authentication mechanisms.  Presumably we'll need to cascade through them in a deterministic order, with the basic Bugzilla auth last.  We'll need to be mindful of performance/responsiveness when we implement this.
Comment 5 Patrick Uiterwijk 2015-11-17 06:34:01 EST
Please note that as of a few months ago, Fedora also provides SAML2.
Comment 6 Jeff Fearn 2016-04-04 18:40:58 EDT
(In reply to Patrick Uiterwijk from comment #5)
> Please note that as of a few months ago, Fedora also provides SAML2.

I've tried googling for the Fedora SAML2 details but could't find anything, anyone have a docs link?

I'm currently working on SAML2 for Red Hat authentication, so being able to test Fedora SAML2 at the same time would be a good extra test and streamline this bug.
Comment 7 Patrick Uiterwijk 2016-04-04 19:30:50 EDT
(In reply to Jeff Fearn from comment #6)
> (In reply to Patrick Uiterwijk from comment #5)
> > Please note that as of a few months ago, Fedora also provides SAML2.
> 
> I've tried googling for the Fedora SAML2 details but could't find anything,
> anyone have a docs link?
> 
> I'm currently working on SAML2 for Red Hat authentication, so being able to
> test Fedora SAML2 at the same time would be a good extra test and streamline
> this bug.

These details are not public at the moment, but if you give me the expected host name I can issue a certificate that gives access to our staging SAML instance.
Or, if you already have a certificate, just passing your current metadata is good enough for us.


You can find our SAML metadata at https://id.fedoraproject.org/saml2/metadata

And for staging: https://id.stg.fedoraproject.org/saml2/metadata
Comment 8 Patrick Uiterwijk 2016-04-04 20:01:46 EDT
(In reply to Patrick Uiterwijk from comment #7)

> These details are not public at the moment, ...

Correcting my phrasing: everything about this setup is public.
Only the documentation is missing at this moment, but it's "plain old SAML2", powered by Ipsilon.
Comment 11 Rony Gong 2016-08-07 22:22:54 EDT
@Jeff, Could you guide me how to test this bug?
Comment 12 Jeff Fearn 2016-08-10 21:07:43 EDT
(In reply to Rony Gong from comment #11)
> @Jeff, Could you guide me how to test this bug?

I believe that testing this is currently blocked on the QE web server and the Fedora devel IDP both having signed certificates. It might also be blocked on someone from QE having a FAS account and that being enabled on the FAS devel IDP.

Once they both have signed certs then the QE server will need to be configured:

1: Administration -> SAML2Auth IdP Settings

2: Add a new entry:

Name:   Fedora Account System
CACert: /etc/pki/tls/certs/ca-bundle.trust.crt
URL:    https://id.stg.fedoraproject.org/saml2/metadata
Icon:   fa-cogs
Regex:  (?<![@.])redhat.com

Assuming you are using the latest versions of my Ansible repo, you can logout and when you when you login the FAS option should be in the box of login options.

You may need to restart apache for that to take effect.

If not then you have to tweak the parameters.

$server://editparams.cgi?section=auth

user_info_class: SAML2AUth,CGI

user_verify_class: Make sure SAML2Auth is at the top of the active list


$server://editparams.cgi?section=saml2auth

saml2auth_sp_crt:    /etc/httpd/conf/ssl.crt
saml2auth_sp_key:    /etc/httpd/conf/ssl.key
saml2auth_sp_cacert: /etc/pki/tls/certs/ca-bundle.trust.crt

This assumes you are using the standard locations and have imported all the CA's as normal. i.e. the certoificates are set-up as per Ops and IT standard practices.

You may need to restart apache for that to take effect.

Once the QE server is set-up and working login attempts will fail until Peter imports the QE web server's SA meta data. He can get this data from $server://saml2_metadata.cgi which is why it's easier to set-up the SA before the IDP.

Needinfoing Peter for his input on the FAS devel server and if my information about it is accurate.
Comment 13 Patrick Uiterwijk 2016-09-14 19:51:39 EDT
New certificate has been provided.
Comment 14 Rony Gong 2016-09-22 23:55:06 EDT
Tested on QA environment(5.0.3-rh6)
Result: Fail
Steps:
1.Open the fedora page https://fedoraproject.org/wiki/Join  to login
1.Click the link 'Fedora Account System' in the login dialog box
==>Redirect to new page with error:
500 - Internal Server Error
Ipsilon encountered an unexpected internal error while trying to fulfill your request.

Please retry again.

If the error persists, contact the server administrator to resolve the problem.
Comment 15 Jeff Fearn 2016-10-04 23:13:32 EDT
This is working for me, it might have been a temporary issue with the IDP.
Comment 16 Rony Gong 2016-10-11 21:50:32 EDT
@Jeff, Could you try to login by fedora account on qe server: 
https://bz-web.host.qe.eng.pek2.redhat.com/

Same error as before.
Comment 17 Jeff Fearn 2016-10-11 21:56:30 EDT
I get this:

Your attempt to authenticate using this email address "jfearn@redhat.com" on the chosen IDP has been forbidden by the site administration; it does not match the specified regular expression "^(?!.*@redhat.com)".

Which is correct, I don't have a non-redhat account to try it on.
Comment 18 Rony Gong 2016-10-11 22:31:00 EDT
It works now after I do more setting(finish contributor agreement)to my test account. Thanks
Comment 19 Rony Gong 2016-10-11 22:32:02 EDT
Tested on QA environment(5.0.3-rh8)
Result: Pass

Note You need to log in before you can comment on or make changes to this bug.