When new users are created based on REMOTE_USER authentication, their roles should be populated as well
The issue http://projects.theforeman.org/issues/3312 made the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, the issue http://projects.theforeman.org/issues/3528 made it possible to populate their name and email address based on information in the external identity provider like FreeIPA. The user no longer needs to be redirected to add their email address manually. These two issues have been implemented (as of Foreman 1.4) and are documented at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb and in Foreman manual http://theforeman.org/manuals/1.4/index.html#5.7SPNEGOauthentication.
Beyond name and email address, another useful information that Foreman can obtain from external identity provider like FreeIPA is group membership which can be used to drive roles for Foreman users.
Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, we propose to populate group membership of the new user based on the REMOTE_USER_GROUP_N and REMOTE_USER_GROUP_# environment variables.
The current pull request for this feature is https://github.com/theforeman/foreman/pull/1328.
Followup feature is http://projects.theforeman.org/issues/5242 with pull request https://github.com/theforeman/foreman/pull/1391 which will make both user attributes and the group membership up-to-date after every external logon.