Enhancement to support Single Sign-On


#1

Introduction:

Now that we support logging in to the appliance using IPA Server user credentials when enabling External Authentication from the Appliance Web UI and the Appliance Console; This enhancement adds support for Single Sign-On to the Appliance Web UI.

The Enhancement supports the Kerberos Ticket based Single Sign-on based on the IPA Server. The SSO capability would be honored for browsers running on client machines where Kerberos is configured to authenticate against the same IPA Server that the appliance is configured with.


Enabling:

The following describes how an administrator would enable SSO on ManageIQ:

1 - Login to Appliance via admin
2 - Select Configure->Configuration and click on Authentication
3 - Set mode to External (httpd)
4 - NEW: click on the “Enable Single Sign-On” button
5 - In Role Settings section select the Get User Groups from External Authentication (httpd)
6 - Save

In the Appliance Console, same as Today.

1 - Login as admin
2 - in Advanced Setting, select Configure External Authentication (httpd)
3 - Enter FQDN of IPA Server, domain, realm, principal and password
4 - Click y to proceed.


Using:

The following describe how an end-user would be interacting with ManageIQ using SSO:

From the client machine where the browser is running:

1 - Without Enable Single Sign-On checked in the Appliance UI, Whether the user has a valid Kerberos Ticket or not, accessing the ManageIQ appliance UI to point them directly to the login page as it does today.

2 - With Enable Single Sign-On checked, and with no Kerberos ticket for the logged in user, (i.e. kdestroy -A), launching the Browser and pointing to the ManageIQ appliance will redirect them to the current Login page with a flash Error: Invalid Single Sign-on Credentials.

3 - With Enable Single Sign-On checked and a valid/non-expired Kerberos ticket assigned, either via the System UI (RHEL, etc) or via kinit, accessing the ManageIQ ui will honor the ticket provided the IPA user is assigned to a valid ManageIQ group. The user is then automatically directed to the dashboard. No login screen.

4 - Logging out from the Dashboard with Single Sign-On either enabled or disabled, will redirect the user to the ManageIQ login page allowing them to:

  • Login as admin
  • Login as another IPA User
  • Re-Login using the credentials from the valid Kerberos Ticket by keeping the Username field blank if Enable Single Sign-On is checked.


#2

+1. Many companies rely on Microsoft Active Directory for (at least) the user authentication. And many of them would like to be able to skip the authentication form whenever possible. So Kerberos authentication would be one more little trick that make the life simpler :wink:


#3

Agree with fdupont. Would also be interested in SAML authentication for SSO as well.


#4

I noticed this card on the Trello board from July 2015 https://trello.com/c/BFbYkV28 [auth] (5) Support for SAML - AD Federated Services. Is there any progress in this area? We would love to have native SAML 2 support in MIQ/CF.

EDIT: Found another card in progress for SAML support https://trello.com/c/YIUK4qLT :thumbsup: