Project

General

Profile

Tracker #5031

External authentication support

Added by Jan Pazdziora about 5 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
% Done:

0%

Difficulty:
Triaged:
No
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

This feature is being opened as an overview tracker of using Foreman with external authentication and identity providers like FreeIPA. The general setup is described at http://www.freeipa.org/page/Web_App_Authentication.

We've identified the following places where external authentication and/or identity provider can be used:

  • Kerberos SSO using ticket
  • Using FreeIPA host based access control to drive access to the Kerberized application
  • Making use of the external authentication provider to authenticate the normal logon form, using PAM
  • Populating user attributes based on the external identity provider
  • Populating user group membership based on the external identity provider
  • Keeping user's attributes and group membership up-to-date even during subsequent logons
  • Using the authentication in non WebUI situations -- using API, CLI

Parts that are included in the Foreman 1.5 are documented at http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication.

Planned update of Foreman 1.6 documentation for the WebUI authentication features that did not make it to Foreman 1.5 but that are in Foreman-devel and thus will be in Foreman 1.6 is staged in https://github.com/theforeman/theforeman.org/commit/d562de8cc15d3d8361a1d629fb8f5a7dfa5d6eee.

Kerberos SSO using ticket

This feature was fully implemented via http://projects.theforeman.org/issues/3312 and is available in Foreman 1.4 and documented at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb and in Foreman manual http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication. Since Foreman needs to maintain even externally-authenticated users in its internal database (for foreign keys to work), if the user authenticated via Kerberos was never seen by Foreman before, the record is created in new External auth source.

Using FreeIPA host based access control to drive access to the Kerberized application

This feature can be used by configuring the mod_authnz_pam Apache module and require pam-account foreman-prod together with PAM service and HBAC service in FreeIPA, as described at http://www.freeipa.org/page/Web_App_Authentication. No change was needed in Foreman.

Making use of the external authentication provider to authenticate the normal logon form, using PAM

Using Apache module mod_intercept_form_submit, it is possible to run PAM authentication based on the credentials entered by user on the standard logon form, and signal the application when the authentication passed. Similar to the Kerberos ticket-based authentication, the externally authenticated user record needs to be created in Foreman's database.

The feature is tracked and documented as http://projects.theforeman.org/issues/4462 and was merged to be available in Foreman 1.5.

Populating user attributes based on the external identity provider

When user record is populated based on external authentication, traditionally only the login (username) is available to the application. Foreman will then redirect the user to a page asking to provide at least their email address to proceed.

Using mod_lookup_identity Apache module, it is possible to retrieve this information together with user's name from central identity provider like FreeIPA, and populate record in Foreman's database with it.

This feature was implemented via http://projects.theforeman.org/issues/3528 and is available in Foreman 1.4 and documented at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb and in Foreman manual http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication.

Populating user group membership based on the external identity provider

Besides user attributes, Foreman can use user group membership information from external identity provider to drive role assignment.

Merged into Foreman develop on 2014-05-06 via http://projects.theforeman.org/issues/3892, group memebership of externally authenticated user whose record is being populated in Foreman's internal database will be set to match the group membership of the user in the central identity provider, using environment variables REMOTE_USER_GROUP_N, REMOTE_USER_GROUP_1, REMOTE_USER_GROUP_2, etc.

The feature is enabled by using Apache module mod_lookup_identity (the same one used for user attribute population) and configuration

LookupUserGroupsIter REMOTE_USER_GROUP

API for external user groups

The external user groups might need API, tracked in http://projects.theforeman.org/issues/5734.

Keeping user's attributes and group membership up-to-date even during subsequent logons

Keeping the attributes up-to-date

When populating attributes based on external identity provider, the code change was modelled after the current implementation of the similar feature for Foreman's internal LDAP auth sources. In those cases, the user attributes only get set during initial population of the user record.

Keeping the group membership up-to-date

When populating group membership based on external identity provider, the code change was modelled after the population of user attributes. In those cases, the user attributes only get set during initial population of the user record.

Tracking

Merged into Foreman develop on 2014-05-07 via http://projects.theforeman.org/issues/5242, user's attributes and group memberships get updated upon every successful authentication using the External auth source.

Using the authentication in non WebUI situations -- using API, CLI

It should be possible to use the external authentication and identity providers and their features including Kerberos ticket-based SSO not just in WebUI but for API and CLI as well. It is tracked via http://projects.theforeman.org/issues/8923.


Related issues

Blocked by Foreman - Feature #3312: Make it possible to use the REMOTE_USER / sso/apache.rb authentication with mod_auth_kerbClosed2013-10-17
Blocked by Foreman - Feature #4462: Add support for PAM authentication via mod_intercept_form_submitClosed2014-02-26
Blocked by Foreman - Feature #3528: When new users are created based on REMOTE_USER authentication, their attributes should be populated as wellClosed2013-10-28
Blocked by Foreman - Feature #3892: When new users are created based on REMOTE_USER authentication, their roles should be populated as wellClosed2013-10-28
Blocked by Foreman - Feature #5242: Keeping user's attributes and group membership up-to-date even during subsequent logonsClosed2014-04-18
Blocked by Foreman - Feature #5734: Add API for external groups managementClosed2014-05-15
Blocked by Installer - Feature #6445: External authentication via FreeIPA should be configurable with foreman-installerClosed2014-06-30
Blocked by Hammer CLI - Feature #8923: Ability to use Negotiate/Kerberos authentication to API and hammerNew2015-01-13

History

#1 Updated by Dominic Cleal about 5 years ago

  • Tracker changed from Feature to Tracker
  • Category set to Authentication

#2 Updated by Dominic Cleal about 5 years ago

  • Blocked by Feature #3312: Make it possible to use the REMOTE_USER / sso/apache.rb authentication with mod_auth_kerb added

#3 Updated by Dominic Cleal about 5 years ago

  • Blocked by Feature #4462: Add support for PAM authentication via mod_intercept_form_submit added

#4 Updated by Dominic Cleal about 5 years ago

  • Blocked by Feature #3528: When new users are created based on REMOTE_USER authentication, their attributes should be populated as well added

#5 Updated by Dominic Cleal about 5 years ago

  • Blocked by Feature #3892: When new users are created based on REMOTE_USER authentication, their roles should be populated as well added

#6 Updated by Jan Pazdziora about 5 years ago

  • Tracker changed from Tracker to Feature
  • Description updated (diff)
  • Category deleted (Authentication)

#7 Updated by Jan Pazdziora about 5 years ago

  • Tracker changed from Feature to Tracker
  • Category set to Authentication

I seem to have cancelled Dominic's changes, reverting. Sorry about that.

#8 Updated by Jan Pazdziora about 5 years ago

  • Description updated (diff)

#9 Updated by Jan Pazdziora about 5 years ago

  • Blocked by Feature #5242: Keeping user's attributes and group membership up-to-date even during subsequent logons added

#10 Updated by Jan Pazdziora about 5 years ago

  • Description updated (diff)

#11 Updated by Jan Pazdziora almost 5 years ago

  • Description updated (diff)

#13 Updated by Bryan Kearney almost 5 years ago

  • Bugzilla link set to https://bugzilla.redhat.com/show_bug.cgi?id=1095276

#14 Updated by Jan Pazdziora almost 5 years ago

  • Blocked by Feature #5734: Add API for external groups management added

#15 Updated by Jan Pazdziora almost 5 years ago

  • Description updated (diff)

#16 Updated by Jan Pazdziora almost 5 years ago

  • Description updated (diff)

#17 Updated by Jan Pazdziora almost 5 years ago

  • Description updated (diff)

#18 Updated by Jan Pazdziora almost 5 years ago

  • Description updated (diff)

#19 Updated by Jan Pazdziora almost 5 years ago

  • Description updated (diff)

#20 Updated by Jan Pazdziora almost 5 years ago

  • Blocked by Feature #6445: External authentication via FreeIPA should be configurable with foreman-installer added

#21 Updated by Jan Pazdziora over 4 years ago

  • Blocked by Feature #8923: Ability to use Negotiate/Kerberos authentication to API and hammer added

#22 Updated by Jan Pazdziora over 4 years ago

  • Description updated (diff)

Also available in: Atom PDF