1775684 – Need the ability to configure the appliance for SAML using the appliance console CLI.

Bug 1775684 - Need the ability to configure the appliance for SAML using the appliance console CLI.

Summary: Need the ability to configure the appliance for SAML using the appliance cons...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Appliance
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	GA
Target Release:	5.11.1
Assignee:	abellott
QA Contact:	John Dupuy
Docs Contact:	Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:	1767108
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-22 14:56 UTC by Satoe Imaishi
Modified:	2022-07-09 10:57 UTC (History)
CC List:	6 users (show)
Fixed In Version:	5.11.1.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1767108
Environment:
Last Closed:	2019-12-13 00:35:56 UTC
Category:	---
Cloudforms Team:	CFME Core
Target Upstream Version:
Embargoed:
Flags:	simaishi: cfme-5.11.z+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:4201	0	None	None	None	2019-12-13 00:36:57 UTC

Comment 2 CFME Bot 2019-11-22 15:05:35 UTC

New commit detected on ManageIQ/manageiq/ivanchuk:

https://github.com/ManageIQ/manageiq/commit/707df015e51069da85be3d3de1a95c5b956eae54
commit 707df015e51069da85be3d3de1a95c5b956eae54
Author:     Jason Frey <jfrey>
AuthorDate: Fri Nov 15 17:52:42 2019 -0500
Commit:     Jason Frey <jfrey>
CommitDate: Fri Nov 15 17:52:42 2019 -0500

    Merge pull request #19525 from abellotti/support_saml_config

    Adding ability to update additional authentication settings

    (cherry picked from commit 8eea16cac726c480865be23a2747bbd7a60801cd)

    https://bugzilla.redhat.com/show_bug.cgi?id=1775684

 lib/tasks/evm_settings.rake | 2 +
 spec/lib/tasks/evm_settings_spec.rb | 20 +-
 2 files changed, 18 insertions(+), 4 deletions(-)

Comment 3 CFME Bot 2019-11-22 15:16:00 UTC

New commit detected on ManageIQ/manageiq-appliance/ivanchuk:

https://github.com/ManageIQ/manageiq-appliance/commit/7dec167935821fbd528f2dd6e6b6e5e357c0d5bb
commit 7dec167935821fbd528f2dd6e6b6e5e357c0d5bb
Author:     Jason Frey <jfrey>
AuthorDate: Fri Nov 22 09:44:50 2019 -0500
Commit:     Jason Frey <jfrey>
CommitDate: Fri Nov 22 09:44:50 2019 -0500

    Merge pull request #264 from abellotti/updated_dependencies_for_appliance_console

    Updated dependencies to pick up latest manageiq-appliance_console

    (cherry picked from commit 435ef0792ab8fb6afb18155713ab16b043bbcf0c)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1775684

 manageiq-appliance-dependencies.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 John Dupuy 2019-11-26 19:42:27 UTC

Awesome stuff! Verified in CFME 5.11.1.1.20191122174937_707df01

Steps of verification: 
1) ssh into appliance
2) Run 'appliance_console_cli --saml-config --saml-idp-metadata='http://<qe-rhsso-server>/auth/realms/<testing-realm>/protocol/saml/descriptor'
3) Download the "miqsp-metadata.xml" file to local machine
4) Import the "miqsp-metadata.xml" file to our RHSSO server
5) Point browser at appliance URL
6) Click "Login to Corporate Account"
7) Login with some user on the SSO
8) Verified that login went through
9) Logout 
10) Unconfigured saml with "appliance_console_cli --saml-unconfig"
11) Logged in as the super user to verify that DB authentication still works. 


One area for improvement could be the manual steps involved in steps (4) and (5). Is there any Keycloak API library that could (optionally) be used to make the client for the appliance on the Keycloak/RHSSO server during the initial saml-config command?

For instance, our SSO server has all the mappers defined in a default client scope and then I use the python-keycloak API library to create the client. (code here: https://github.com/ManageIQ/integration_tests/blob/d8d4d51abcd51f25ab66d506eff7f7443bae1bed/cfme/utils/appliance/__init__.py#L2270-L2295)

Definitely would be an RFE, but just a thought.

Comment 5 abellott 2019-12-02 18:42:42 UTC

Thanks John for kicking the tire !!

Looks like it should be doable, I see a REST API on the keycloak server that would help there https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_clients_resource

Yeah, RFE for that. However, it would be keycloak specific, the CLI enhancement here is provider independent. Something to keep in mind, would be nice to support others too, (at least
the common ones (there are so many).

Alberto

Comment 7 errata-xmlrpc 2019-12-13 00:35:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:4201

Note You need to log in before you can comment on or make changes to this bug.