freeipa

Clone
Source Code
GIT

#6709 [RFE] Configurable auth methods/behaviour in Web UI
Opened 7 years ago by pvoborni. Modified 5 years ago

Open
Close issue as:
fixed wontfix worksforme duplicate insufficientinfo invalid

With FreeIPA 4.5 and 4.7, Web UI will support:

  • SSO - kerberos auth (since beginning)
  • forms based auth (since FreeIPA 2.2)
  • certificate(x509) auth (since 4.5)
  • Federated auth (base landed in 4.5, will be enable in 4.6/4.7)

Also Web UI tries kerberos login automatically by default. If it fails it offers different types of auth. This behavior is not configurable now.

It should be configurable.

User story:

In a company we are using only certain auth types. Users are confused when they are presented all options. As an administrator I should be able to configure which auth methods are offered in Web UI login page and whether SSO/x509/Federated, each configured individually, auth attempt should be tried automatically.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.7 (was: 0.0 NEEDS_TRIAGE)
7 years ago

Triage notes:

  • pvom: before we implement this RFE, do we want to have x509 login configured by default? (login using Kerberos ticket is turned on by default, so I would turn x509 login on as well). Additionally, the x509 login does not do any calls without clicking on 'Login using smartcard' link, so it does not slower the login page.
  • pvom: Related to previous question is that it requires to have turned on 'ipakrboktoauthasdelegate' on HTTP service. Is there any problem with turning it on by default?
  • D.P. I think the logic should be the following:
    • Try to negotiate kerberos as now, if managed - OK, else
    • Try to do a cert bases auth, if managed - OK, else
    • Present the current screen where user can enter single or 2FA credentials
    • On the page add a button to alllow to login with external IdP. Cloicking that button will redirect to external IdP in the same way how systems allow login with Google or Facebook now.
  • What we should make configurable is addition of IdPs. We should also allow automatic redirect. For example we can say that any attempts to login on a page <host>/idp/foo will redirect to IdP foo while <host>/idp/bar will redirect to IdP bar but this is IMO a separate RFE we should open.
  • pvom: I wouldn't try to do a cert base login automatically because it will require smartcard pin or browser will prompt the dialog for choosing certificate in case that user has smartcard or usercertificate in browser. Even when user doesn't want to use the certificate for login into IPA WebUI, user may want to use it for different web application.

Metadata Update from @pvoborni:
- Custom field affects_doc reset
7 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
enhancement
None
None
Web UI
None
None
None
None
None
None
None
wanted
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.