Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2101770

Summary: [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD
Product: Red Hat Enterprise Linux 8 Reporter: anuja <amore>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Josip Vilicic <jvilicic>
Priority: unspecified    
Version: 8.7CC: jvilicic, lmanasko, pasik, rcritten, sumenon, tscherf
Target Milestone: rcKeywords: FutureFeature, TechPreview, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.10-1.module+el8.7.0+15691+2b2c1dd5 Doc Type: Technology Preview
Doc Text:
.RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview As a Technology Preview in RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 8.7 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP. Notable features include: * Adding, modifying, and deleting references to external IdPs with `ipa idp-*` commands * Enabling IdP authentication for users with the `ipa user-mod --user-auth-type=idp` command For additional information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_using-external-identity-providers-to-authenticate-to-idm_managing-users-groups-hosts[Using external identity providers to authenticate to IdM].
 Story Points: ---
Clone Of: 2069202 Environment:
Last Closed: 2022-11-08 09:36:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2103125    
Bug Blocks:    

Description anuja 2022-06-28 10:48:42 UTC 
This bug is created as a clone of upstream tickets:

https://pagure.io/freeipa/issue/8803
https://pagure.io/freeipa/issue/8804
https://pagure.io/freeipa/issue/8805

Via bug 2056482, SSSD adds client and KDC sides of a preauthentication mechanism to MIT Kerberos to authenticate against externally hosted identity provider (IdP) with OAuth2 protocol. The preauthentication mechanism is called 'idp'.

'idp' preauthentication mechanism relies on KDC side on the code in FreeIPA KDB driver, which represents both KDB driver development and IPA management around IdP entities. IdP entities are modeled after RADIUS proxy support already present in FreeIPA.

This bug tracks integration of initial support for the external IdPs of FreeIPA in RHEL.
Comment 2 Florence Blanc-Renaud 2022-06-28 11:50:16 UTC 
Bug fixed with the rebase to ipa 4.9.10:

master:
https://pagure.io/freeipa/c/79a4073730a8fe5ba2424f3896a2fd440c17ac9e
https://pagure.io/freeipa/c/0484949b80d477ad858274b799ea1f48f2eec20a
https://pagure.io/freeipa/c/fd19bdfd54e674361b9dadd3792780406c8d82d6
https://pagure.io/freeipa/c/10e18c3dc732a52d173e803970f6eb53dd9b6087
https://pagure.io/freeipa/c/03a905eed92083b1edea634ce50fcc9dbeb34b5b
https://pagure.io/freeipa/c/3f6656e09a528b3f54281d77a6226231ac1c0f51
https://pagure.io/freeipa/c/a1be4fc86390559e6464fb31b76a4595da9f5465
https://pagure.io/freeipa/c/94f7d31d2dc725ebcb5a6859d32d602935c1b3b3
https://pagure.io/freeipa/c/429e523de675f86accd8667287cc468c8f9d1872
https://pagure.io/freeipa/c/82175da4b1c91516495a4f38a46a08ccfca4cd75
https://pagure.io/freeipa/c/543040a71d09710f817b29076cb7aa86d3014a02
https://pagure.io/freeipa/c/b5be7f2948f72b93fc418eb2697fe96efe14a11f

ipa-4-9:
https://pagure.io/freeipa/c/42afcc95be0292dd0dbdf955dbe0e8e3a683782e
https://pagure.io/freeipa/c/8d81338cb94a2d850f53629ebba98a1f1ec90d1e
https://pagure.io/freeipa/c/1df7b82ac188650775703dc95530017c969d0bff
https://pagure.io/freeipa/c/2136bd5d00f7aed5ae722ff8253c2b74ba444972
https://pagure.io/freeipa/c/b77015b7a3b627282560253cf2cd579c89f02923
https://pagure.io/freeipa/c/bf8e2bb99f1c09ced820bd4bf6e9d7832db2caea
https://pagure.io/freeipa/c/673478b1cf9950aed755a6a9ae8f81cb323932b3
https://pagure.io/freeipa/c/51a4e42dd777661addd4f2fed1654ee978e8a4d7
https://pagure.io/freeipa/c/660c3dc2491fc2ee01031c1c59db6e0bb025bf93
https://pagure.io/freeipa/c/d0eab8fe7609fea0b46ea863db1822eca1daac63
https://pagure.io/freeipa/c/d49aa7103bacba60bae28f32bd76d9d35853626b
https://pagure.io/freeipa/c/5f9e0d3ff3bd80b75bc9f5de97e7e086ba0a31e3

Tests added upstream in ipatests/test_integration/test_idp.py
master:
    5ca4e8e pr-ci definitions: add external idp related jobs.
    9cc703f ipatests: Add integration tests for External IdP support

    a80a981 ipatests: update prci definitions for test_idp.py
    bd57ff3 Add end to end integration tests for external IdP


ipa-4-9:
    b979dd9 ipatests: Add integration tests for External IdP support
    b39f933 pr-ci definitions: add external idp related jobs.
    857713c Add end to end integration tests for external IdP
    50b4d9a ipatests: update prci definitions for test_idp.py
Comment 4 anuja 2022-07-08 10:08:42 UTC 
Moving ITM to 20 as its depend on and blocked by https://bugzilla.redhat.com/show_bug.cgi?id=2103125.
Comment 12 anuja 2022-08-05 10:56:43 UTC 
Marking bug as verified 

1) Failure in authentication using github, okta+secret, google 
will be fixed as part of https://bugzilla.redhat.com/show_bug.cgi?id=2111393#c3

2) Note : authentication using github, google is working as expected in RHEL9.1
Comment 16 errata-xmlrpc 2022-11-08 09:36:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7540
Comment 20 Red Hat Bugzilla 2023-09-18 04:40:28 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days