Bug 1199091 - [RFE] enhance external authentication capabilities with SAML
Summary: [RFE] enhance external authentication capabilities with SAML
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.1.0
Hardware: x86_64
OS: Linux
medium
medium with 2 votes vote
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-05 13:09 UTC by Jan Pazdziora
Modified: 2020-04-15 14:11 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-04 19:21:45 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 16916 0 Normal New enhance external authentication capabilities with SAML 2021-02-12 17:17:58 UTC

Internal Links: 1571208 1571210

Description Jan Pazdziora 2015-03-05 13:09:57 UTC
Description of problem:

While Satellite 6 has support for consuming external authentication as provided by Apache is there, the only way of using that feature is in connection with sssd on IPA-enrolled machine. However, other external authentication mechanisms are possible besides those tied to sssd.

Namely, SAML is possible and should be easily configurable on Satellite 6. The proposal is to use mod_auth_mellon and (optionally) integrate with Ipsilon Identity Provider via some simple katello-installer parameters.

Version-Release number of selected component (if applicable):

Satellite 6.0.x.

How reproducible:

Deterministic.

Steps to Reproduce:
1. Attempt to configure Satellite 6 to consume external authentication/users via SAML, with Ipsilon or other IdP.

Actual results:

No katello-installer options.

Expected results:

There are katello-installer options to achieve that setup.

Additional info:

Comment 1 RHEL Program Management 2015-03-05 13:23:20 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 4 Jan Pazdziora 2015-05-20 06:23:37 UTC
For the record, if mod_auth_mellon based on https://github.com/UNINETT/mod_auth_mellon/commit/fc0aaef5bbf5d49e1b114f732625fb3439375e87 or later is used, the following configuration seems to work for Foreman and Ipsilon client, kindly provided by Nathan K.:

LoadModule auth_mellon_module modules/mod_auth_mellon.so

<Location />
  MellonEnable "info"
  MellonSPPrivateKeyFile /etc/httpd/saml2/https_${HOSTNAME}.key
  MellonSPCertFile /etc/httpd/saml2/https_${HOSTNAME}.cert
  MellonSPMetadataFile /etc/httpd/saml2/https_${HOSTNAME}.xml
  MellonIdPMetadataFile /etc/httpd/saml2/idp-metadata.xml
  MellonEndpointPath /saml2
  MellonIdP "IDP"
  MellonEnvVarsIndexStart 1
  MellonEnvVarsSetCount On
  MellonMergeEnvVars On ":"
  MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
  MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" givenname
  MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" surname
  MellonSetEnvNoPrefix "REMOTE_USER_GROUP" groups
</Location>

<Location /users/extlogin>
  SSLRequireSSL
  AuthType "Mellon"
  MellonEnable "auth"
  ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>'
  # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
  ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>'
</Location>

The login_delegation_logout_url should then be set to https://$(hostname)/saml2/logout?ReturnTo=https://$(hostname)/users/extlogout.

Comment 6 Bryan Kearney 2016-07-08 20:32:29 UTC
Per 6.3 planning, moving out non acked bugs to the backlog

Comment 8 Stephen Benjamin 2016-10-13 16:13:17 UTC
Created redmine issue http://projects.theforeman.org/issues/16916 from this bug

Comment 10 sudharsan.omprakash 2018-06-12 14:50:42 UTC
As a red hat customer, we recently initiated the Satellite 6.3 deployment. Adding to security features, we wanted to enable the SSO for this purpose we need Satellite to have SAML feature. So what is the current status and when can we expect this to be released.

Comment 11 Bryan Kearney 2018-09-04 19:21:45 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.


Note You need to log in before you can comment on or make changes to this bug.