Description of problem: For External Authentication, Satellite 6 has a way of using feature in connection with SSSD on IPA-enrolled machine. Can we enable SSO using an external SAML 2.0 Identity Provider. Version-Release number of selected component (if applicable): Satellite 6.12 How reproducible: Deterministic. Steps to Reproduce: 1. Attempt to configure Satellite 6 to consume external authentication/users via SAML 2.0 Actual results: Currently there is no option available in Red Hat Satellite to configure SSO using an external SAML 2 Identity Provider Expected results: Able to Configure SSO using an external SAML 2 Identity Provider Additional info:
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
For the record, if mod_auth_mellon based on https://github.com/UNINETT/mod_auth_mellon/commit/fc0aaef5bbf5d49e1b114f732625fb3439375e87 or later is used, the following configuration seems to work for Foreman and Ipsilon client, kindly provided by Nathan K.: LoadModule auth_mellon_module modules/mod_auth_mellon.so <Location /> MellonEnable "info" MellonSPPrivateKeyFile /etc/httpd/saml2/https_${HOSTNAME}.key MellonSPCertFile /etc/httpd/saml2/https_${HOSTNAME}.cert MellonSPMetadataFile /etc/httpd/saml2/https_${HOSTNAME}.xml MellonIdPMetadataFile /etc/httpd/saml2/idp-metadata.xml MellonEndpointPath /saml2 MellonIdP "IDP" MellonEnvVarsIndexStart 1 MellonEnvVarsSetCount On MellonMergeEnvVars On ":" MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" givenname MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" surname MellonSetEnvNoPrefix "REMOTE_USER_GROUP" groups </Location> <Location /users/extlogin> SSLRequireSSL AuthType "Mellon" MellonEnable "auth" ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>' # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087 ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>SAML authentication did not pass.</body></html>' </Location> The login_delegation_logout_url should then be set to https://$(hostname)/saml2/logout?ReturnTo=https://$(hostname)/users/extlogout.
Per 6.3 planning, moving out non acked bugs to the backlog
Created redmine issue http://projects.theforeman.org/issues/16916 from this bug
As a red hat customer, we recently initiated the Satellite 6.3 deployment. Adding to security features, we wanted to enable the SSO for this purpose we need Satellite to have SAML feature. So what is the current status and when can we expect this to be released.
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you.
Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.