Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Authentication - Alberto Bellotti - ManageIQ Design Summit 2016


Published on

ManageIQ Authentication by Alberto Bellotti at ManageIQ Design Summit 2016

Demo video:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Authentication - Alberto Bellotti - ManageIQ Design Summit 2016

  1. 1. ManageIQ Authentication Alberto Bellotti - Red Hat June 6, 2016
  2. 2. Agenda Early Days Technology Shift External Authentication SAML Demo Future Enhancements Documentation Q&A
  3. 3. Early Days Authentication implemented within Appliance Local Database (Default) MiqLDAP LDAP Directories (OpenLDAP, RedHat Directory Server, etc.) Active Directory Amazon SDK AWS IAM (Identity and Access Management)
  4. 4. Technology Shift Local Authentication Implementations Limited authentication types Frequent fixes due to limitations Longer enhancements implementation times. External Authentication Industry proven Apache Authentication stack Wider availability of Authentication modules Leveraging RHEL Security Services
  5. 5. Technology Shift Pre-External Authentication ManageIQ PostgreSQL ApacheUser MiqLdap Aws SDK Amazon Ldap Directories ● OpenLDAP ● RHDS ● Active Directory ● etc.Appliance
  6. 6. Technology Shift External Authentication Delegating Authentication to Apache Leveraging: Apache Authentication Modules Linux Security Modules (PAM, SSSD) Kerberos Authentication for SSO
  7. 7. Technology Shift External Authentication ManageIQ PostgreSQL Apache User Aws SDK Amazon Ldap Directories ● RHDS ● Active Directory ● OpenLDAP, ApacheDS ● etc. FreeIPA Appliance SAML Identity Providers ● Keycloak mod_auth_mellon mod_auth_kerb mod_authnz_pam RHEL Security Services SSSD PAM Kerberos SSHD
  8. 8. External Authentication Currently Supporting: ● FreeIPA ○ Username/Password (Admin UI, REST API, SSUI) ○ Username/Password+OTP (2FA) (Admin UI, REST API, SSUI) ○ Kerberos SSO (Admin UI) ● LDAP Directories via SSSD ○ Red Hat Directory Server ○ Active Directory (single and multi-domains) ○ OpenLDAP, ApacheDS, etc.
  9. 9. External Authentication Currently Supporting: Active Directory Realm/SSSD joining AD Domain Username/Password (Admin UI, REST API, SSUI) Kerberos SSO (Admin UI) IPA/AD Trust Environments Username/Password (Admin UI, REST API, SSUI) Kerberos SSO (Admin UI)
  10. 10. External Authentication Currently Supporting: SAML Keycloak Versions 1.8 & 1.9 (Admin UI)
  11. 11. Demo SAML Authentication with Keycloak 1.9.4
  12. 12. Future Enhancements Adding Support for: Enhanced Client & Proxy Enabling REST API authentication using SAML provider Allowing authentication using SAML credentials in SSUI Verification with additional SAML providers Active Directory Federated Services
  13. 13. Future Enhancements Adding Support for: SmartCard Authentication via IPA/AD Trust Environments OpenID Connect (supported by KeyCloak)
  14. 14. Documentation Enabling External Authentication (FreeIPA) All other External Authentication Browse auth section
  15. 15. Thank You !!