Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need the ability to configure the appliance for SAML using the appliance console CLI #101

Closed
Fryguy opened this issue Oct 31, 2019 · 5 comments · Fixed by #102
Closed

Need the ability to configure the appliance for SAML using the appliance console CLI #101

Fryguy opened this issue Oct 31, 2019 · 5 comments · Fixed by #102
Assignees
@abellotti
Labels
enhancement

Comments

@Fryguy
Copy link
Member

Fryguy commented Oct 31, 2019
edited
Loading

Currently for the appliance, the only option to configure it for SAML auth is the manual process to do so via https://www.manageiq.org/docs/reference/latest/auth/saml.

We should provide the ability to do so via the appliance_console_cli, taking in as parameter the IDP metadata file path and generating the miqsp-metadata.xml file required for creating the client definition in the Identity Provider.

The new appliance_console_cli subcommand should also configure the appliance for external auth for SAML so no UI configuration needs to be done afterward.

https://bugzilla.redhat.com/show_bug.cgi?id=1767108
@Fryguy
Copy link
Member Author

Fryguy commented Oct 31, 2019
edited
Loading

@abellotti, as discussed

cc @dmetzger57

@Fryguy
Copy link
Member Author

Fryguy commented Oct 31, 2019

cc @chadh1313 @ifwatts @jmg-ibm @kenneth88888

@Fryguy
Copy link
Member Author

Fryguy commented Oct 31, 2019

Also need OIDC. Ideally it would do all of the possible types, but we can start with SAML and OIDC.

@abellotti
Copy link
Member

Associated PRs:

@abellotti
Copy link
Member

The following subcommands of the appliance console CLI allows one to configure the appliance for SAML Authentication by updating both Apache configurations as well as the Administrative UI settings needed.

Usage of the new CLI options are as follows:

  • To configure the appliance for SAML Authentication:
# appliance_console_cli --saml-config [--saml-client-host=miq_appliance.fqdn] \
                                       --saml-idp-metadata=file|url           \
                                       [--saml-enable-sso]

When --saml-client-host is not specified, then the configured appliance host is used for creating the SP metadata. This host fqdn must be reachable from the SAML IDP.

Configuring SAML requires the IDP metadata file, the --saml-idp-metadata option allows the user to specify a copy by file that was downloaded to the appliance or by URL in which case the CLI downloads the copy from the IDP.

Examples:

--saml-idp-metadata=/tmp/downloaded_idp_metadata.xml

--saml-idp-metadata=http://<idp-host:port>/auth/realms/<miq-realm>/protocol/saml/descriptor

In both cases, the IDP metada file is copied to /etc/httpd/saml2/idp-metadata.xml

By default, SSO is not enabled, so from the Appliance login page, the user clicks on Login In to Corporate System to get redirected to the SAML login page. With this option enabled, the Appliance redirects the user to the SAML login page for logging in.

After SAML is configured, the SP metadata file can be fetched from /etc/httpd/saml2/miqsp-metadata.xml to create the related Client on the SAML IDP.

  • To unconfigure the appliance from SAML Authentication and revert to Database authentication:
# appliance_console_cli --saml-unconfig

This will remove the Apache external authentication SAML configuration files and revert the appliance's authentication settings to Database mode.

@abellotti abellotti mentioned this issue Nov 15, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abellotti abellotti

Labels
enhancement
Projects
None yet
Milestone
No milestone
2 participants
@Fryguy @abellotti