Hello,

The single sign on into web applications is a new feature, it should not be confused with Single sign-on into virtual machines (or more correctly: password delegation).

Documentation for this feature is available here[1][2], actual use case with the new ldap implementation is documented here[3].

For the kerberos use case[3], it means that the user login into his workstation and have kerberos TGT, then he is able to access the webadmin and userportal without specifying his user and password again.

One feature is lost: as the userportal is not accepting the user password, then the password delegation into VM cannot work (aka Single sign-on into virtual machines).

I truly wish we can refer to the package documentation and not maintain parallel documents, I will be happy to improve these.

Thanks!

[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;f=README.http;hb=HEAD
[2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-misc.git;a=blob;f=README.mapping;hb=HEAD
[3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l124

If the new ldap provider is implemented without SSO, VM password delegation still can be used but with limitations:
https://bugzilla.redhat.com/show_bug.cgi?id=1133137

VERIFIED - The information about SSO has been outlined in the new topic. Users are warned that using SSO in the User Portal will remove the SSO functionality for virtual machines.