Description of problem:
While Satellite 6 has support for consuming external authentication as provided by Apache is there, the only way of using that feature is in connection with sssd on IPA-enrolled machine. However, other external authentication mechanisms are possible besides those tied to sssd.
Namely, SAML is possible and should be easily configurable on Satellite 6. The proposal is to use mod_auth_mellon and (optionally) integrate with Ipsilon Identity Provider via some simple katello-installer parameters.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Attempt to configure Satellite 6 to consume external authentication/users via SAML, with Ipsilon or other IdP.
No katello-installer options.
There are katello-installer options to achieve that setup.
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
For the record, if mod_auth_mellon based on https://github.com/UNINETT/mod_auth_mellon/commit/fc0aaef5bbf5d49e1b114f732625fb3439375e87 or later is used, the following configuration seems to work for Foreman and Ipsilon client, kindly provided by Nathan K.:
LoadModule auth_mellon_module modules/mod_auth_mellon.so
MellonMergeEnvVars On ":"
MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" givenname
MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" surname
MellonSetEnvNoPrefix "REMOTE_USER_GROUP" groups
ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>'
# The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>'
The login_delegation_logout_url should then be set to https://$(hostname)/saml2/logout?ReturnTo=https://$(hostname)/users/extlogout.
Per 6.3 planning, moving out non acked bugs to the backlog
Created redmine issue http://projects.theforeman.org/issues/16916 from this bug
As a red hat customer, we recently initiated the Satellite 6.3 deployment. Adding to security features, we wanted to enable the SSO for this purpose we need Satellite to have SAML feature. So what is the current status and when can we expect this to be released.
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.