Bug 1317379 - [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication
[EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Kaleem
Marc Muehlfeld
: FutureFeature, TechPreview
Depends On: 1343422
Blocks: 1411849 1366572 1402820
  Show dependency treegraph
 
Reported: 2016-03-14 03:12 EDT by Martin Kosek
Modified: 2017-03-14 07:49 EDT (History)
10 users (show)

See Also:
Fixed In Version: ipa-4.4.0-8.el7
Doc Type: Technology Preview
Doc Text:
IdM web UI enables smart card login The Identity Management (IdM) web UI enables users to log in using smart cards. Note that this feature is experimental and not supported.
Story Points: ---
Clone Of:
: 1366572 1402820 (view as bug list)
Environment:
Last Closed: 2016-11-04 01:51:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2016-03-14 03:12:53 EDT
Description of problem:
IdM Web UI in RHEL-7.2 or older only allows Kerberos or Password authentication. The Web UI capabilities should be extended to also allow Smart Card authentication for environments leveraging Smart Card authentication instead of Kerberos.

This change means changing current Web UI authentication architecture, which does a kinit internally, when a password is passed. This cannot be done with the Smart Cards as Web UI does not have access to it.


User Story:
As an Administrator in Government Sector (required to use Smart Cards), I want to authenticate to the IdM Web UI with my Smart Card, so that I am not forced to enable password authentication which is forbidden in my environment.
Comment 1 Petr Vobornik 2016-03-24 15:16:48 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5764
Comment 2 Martin Kosek 2016-08-12 07:02:35 EDT
This feature was investigated and implemented as a POC for IdM in RHEL-7.3. Given current IdM Server architecture around it's Web (Apache) service, the solution cannot unfortunately be claimed as ready for production use due to security concerns and lack of privilege separation.

Therefore, the feature will be only presented as Experimental feature for users, where they can qualify it, test in their environment and report back if it works and satisfies the expectations/requirements. The feature won't be enabled by default and will require configuration (including API/CLI and Web UI plugins). 

Upstream feature page is here:
http://www.freeipa.org/page/V4/External_Authentication

Current configuration procedure is being developed here:
http://www.freeipa.org/page/V4/External_Authentication/Setup

Given above, I am changing the feature to "Experimental". A new Bugzilla will be created to track "proper" implementation that is secure and better suited for production use.
Comment 4 Jan Cholasta 2016-08-17 10:53:55 EDT
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d25a0725c0e09891bd0df927641dac878dfe6a7d
Comment 8 Jan Pazdziora 2016-08-29 07:51:55 EDT
The page http://www.freeipa.org/page/V4/External_Authentication/Setup describes the status of the smart card / x509 certificate authentication in FreeIPA 4.4 and in the upcoming RHEL release. It relies on WebUI plugin and Apache HTTP Server configuration, available from external yum repository.
Comment 9 Roshni 2016-09-22 10:35:30 EDT
[root@dhcp129-34 ~]# rpm -qi ipa-server
Name        : ipa-server
Version     : 4.4.0
Release     : 12.el7
Architecture: x86_64
Install Date: Wed 21 Sep 2016 12:16:46 PM EDT
Group       : System Environment/Base
Size        : 1019056
License     : GPLv3+
Signature   : (none)
Source RPM  : ipa-4.4.0-12.el7.src.rpm
Build Date  : Fri 16 Sep 2016 05:23:17 AM EDT
Build Host  : x86-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Followed the instruction in the document in comment 8. The certificate on the card was issued by an external CA and the CA was trusted on the browser. The token was loaded on the browser. Password was set for the ipa user, su to the user prompted for new password as the password had expired. Login to IPA web UI using the smartcard pin was successful
Comment 11 errata-xmlrpc 2016-11-04 01:51:57 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.