I have a working Foreman UI (1.15.6) integrated with puppet opensource and all looks well. However I’ve been asked to integrate it to our company SSO.
I am working with the resource who has implemented SSO on other applications and he asked me if Foreman supports SAML based authentication. I tried googling this and what I understand is that Foreman supports LDAP and integration to FreeIPA, but no still could not answer his query about SAML.
From the Foreman manual, it does provide instructions on integrating with FreeIPA. Is my understanding correct that to support SAML-based authentication, I need to enroll my foreman server to FreeIPA which in turn can be configured with SAML. Would this be correct? Our company uses Active Directory and uses SAML-based authentication for SSO.
We’ve achieved this (with 1.16 - though had it working in 1.15.6 as well) by enabling the ‘Authorize login delegation’ setting in Foreman, then using OpenID (we run debian so using libapache2-mod-auth-openidc) to protect the /users path in foreman.
In 1.15.6 this worked really well but there was a loophole that we were exploiting, we found it when we upgraded to 1.16 when they fixed the loophole - it still works but when the session gets timed out it will take you back to the /users/login page - removing the /user/login from URL twice clears the problem and the SSO works again - it’s a minor inconvenience that allows us to use SSO (at some point we will figure out why it doesn’t work)
I’ve not implemented it because only I have access to Foreman in my institution. But we do use FreeIPA successfully to do SSO against AD in a one way trust (FreeIPA trusts AD, AD doesn’t trust FreeIPA).
Adding new services to FreeIPA is relatively easy - usually a one liner in it’s conf. I would recommend this method.