Foreman support for SAML-based authentication (single sign-on)

jubix · February 14, 2018, 3:36am

Hi all,

I have a working Foreman UI (1.15.6) integrated with puppet opensource and all looks well. However I’ve been asked to integrate it to our company SSO.

I am working with the resource who has implemented SSO on other applications and he asked me if Foreman supports SAML based authentication. I tried googling this and what I understand is that Foreman supports LDAP and integration to FreeIPA, but no still could not answer his query about SAML.

From the Foreman manual, it does provide instructions on integrating with FreeIPA. Is my understanding correct that to support SAML-based authentication, I need to enroll my foreman server to FreeIPA which in turn can be configured with SAML. Would this be correct? Our company uses Active Directory and uses SAML-based authentication for SSO.

Seeking some guidance on how this can be implemented. I am looking at https://www.freeipa.org/page/Web_App_Authentication and
https://www.freeipa.org/page/V4/External_Authentication

at the moment.

Thanks

habanero · February 14, 2018, 9:53am

Hi,

We’ve achieved this (with 1.16 - though had it working in 1.15.6 as well) by enabling the ‘Authorize login delegation’ setting in Foreman, then using OpenID (we run debian so using libapache2-mod-auth-openidc) to protect the /users path in foreman.

See https://github.com/zmartzone/mod_auth_openidc for details

In 1.15.6 this worked really well but there was a loophole that we were exploiting, we found it when we upgraded to 1.16 when they fixed the loophole - it still works but when the session gets timed out it will take you back to the /users/login page - removing the /user/login from URL twice clears the problem and the SSO works again - it’s a minor inconvenience that allows us to use SSO (at some point we will figure out why it doesn’t work)

Bryan_Kearney · February 14, 2018, 10:04am

Any chance to (1) get an issue created for the double login and (2) a blogpost or other doco around this?

habanero · February 14, 2018, 11:33am

Yes on both counts. Part of me wonders if we have misconfigured something in the openid config, but we tried a few things and couldn’t get it to improve.

Lachlan_Musicman · February 15, 2018, 12:51am

I’ve not implemented it because only I have access to Foreman in my institution. But we do use FreeIPA successfully to do SSO against AD in a one way trust (FreeIPA trusts AD, AD doesn’t trust FreeIPA).

Adding new services to FreeIPA is relatively easy - usually a one liner in it’s conf. I would recommend this method.

codificat · June 26, 2018, 2:08pm

It’s not OpenID Connect, but the @jubix was looking for SAML: just published a blog post about SAML with Keycloak.

The example there uses the keycloak-httpd-client-install tool to make it easier/faster to setup, but I hope it will also help in case you want/have to configure mod_auth_mellon manually.

cmucasl · September 19, 2023, 5:08pm

Any chance a generalized SAML integration can be added to the roadmap?

I found Feature #16916: enhance external authentication capabilities with SAML - Foreman which seems to not have been touched since it was opened.

Also https://bugzilla.redhat.com/show_bug.cgi?id=1199091 as “WONTFIX”.