Bug 1570040
| Summary: | [RFE] RH Single Sign-On or OpenID Connect integration with Administration/User Portal | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Juan Manuel Parrilla Madrid <jparrill> | |
| Component: | ovirt-engine | Assignee: | Ravi Nori <rnori> | |
| Status: | CLOSED ERRATA | QA Contact: | Petr Matyáš <pmatyas> | |
| Severity: | low | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.1.10 | CC: | fgarciad, jparrill, lsurette, mgoldboi, michal.skrivanek, mperina, Rhev-m-bugs, rnori, sborella, srevivo | |
| Target Milestone: | ovirt-4.3.0 | Keywords: | FutureFeature, Reopened | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ovirt-engine-4.3.0_rc, ovirt-engine-extension-aaa-misc-1.0.2 | Doc Type: | Enhancement | |
| Doc Text: |
This release adds support for external OpenID Connect authentication using Keycloak in both the user interface and the REST API.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1574951 1588375 (view as bug list) | Environment: | ||
| Last Closed: | 2019-05-08 12:37:35 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1574951, 1574958, 1588375 | |||
|
Description
Juan Manuel Parrilla Madrid
2018-04-20 13:35:22 UTC
What exactly are you missing? Up-to-date information is e.g. https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2-beta/html/administration_guide/configuring_ldap_and_kerberos_for_single_sign-on Hi Michal, This looks perfect, when I look fot SSO integration on RHN this didn't comes up, on google just shows the 3.5 version. Maybe I was not using the right words. BTW, thanks this is what I was looking for. Thanks buddy. Regards This works on 4.1 version also¿¿ or just on 4.2 Beta version? This works on 4.1 version also¿¿ or just on 4.2 Beta version? 4.0 or so. You can see all docs for all versions at https://access.redhat.com/documentation/en-us/red_hat_virtualization/ Hi there, I was reviewing the documentation but I didn't see anything related with SAML or RHSSO, maybe I skip something?. I was looking for an integration with RH SSO or SAML/OpenID. Thanks in advance Were you able to configure RHSSO with RHV? If so could you please attach your solution to the bug? (In reply to Martin Perina from comment #7) > Were you able to configure RHSSO with RHV? If so could you please attach > your solution to the bug? Ping Yeah, but I face a problem with non-federated users. I mean: I have a RHSSO instance running federated against a LDAP, this LDAP gives me many users and I could login into RHSSO without problems. The problem comes when I try to login into RHV because those users not exists at RHEV level because that is not federated against nothing. TL;DR I succed at login but when the RHSSO redirects to RHEV login portal, the answer is that I have not permission to login. I have the instance still runnning If you need info or check something. Any clue to avoid this error? (In reply to Juan Manuel Parrilla Madrid from comment #9) > Yeah, but I face a problem with non-federated users. I mean: > > I have a RHSSO instance running federated against a LDAP, this LDAP gives me > many users and I could login into RHSSO without problems. The problem comes > when I try to login into RHV because those users not exists at RHEV level > because that is not federated against nothing. TL;DR I succed at login but > when the RHSSO redirects to RHEV login portal, the answer is that I have not > permission to login. > > I have the instance still runnning If you need info or check something. > > Any clue to avoid this error? I would need to see your configuration, but here is my guess: If you have configured SAML on Apache, Apache does the authentication and pass authenticated username to RHV manager using aaa-misc extension. Then RHV SSO try to find authz configuration using aaa-ldap extension, which will try to connect to associated LDAP and fetch additional information about user. So do you have this aaa-ldap authz extension configured? Hi there, no, I didn't configure the aaa-ldap to federate the RHEV Manager because I supose that this already works. The point of this BZ is to have an integration at API level to create the users without the need of a LDAP federated en RHEV side but on RHSSO/Keycloak side. regards Tentatively moving to 4.3, we will either support SAML tracked here or OIDC tracked in BZ1588375 All referenced patches have been merged, can this move to modified? *** Bug 1588375 has been marked as a duplicate of this bug. *** Verified on ovirt-engine-4.3.0-0.2.master.20181127150027.gitd731af3.el7.noarch QE verification bot: the bug was verified upstream *** Bug 1574951 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:1085 BZ<2>Jira Resync |