-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Single Sign On between Applications #28
Comments
I do not think we plan on creating a true SSO system for this tutorial. |
Sounds good. Does this impact the XDMoD -> OOD integration at all? Or is that currently working enough to demo in the tutorial? |
User will have to login to OpenXDMoD and then Login to OOD, then everything should be fine as far as I know... |
Looping @treydock @ericfranz in case they have any feedback from the OOD side. |
The other option is getting Dex to talk to Open XDMoD, I think we easily modify the https://github.com/ubccr/simplesamlphp-module-authglobus to support DEX with a small diff in the |
So to have a second client for Dex would require code changes to OnDemand or require this repo to push out a static dex.yaml that is normally generated by ood-portal-generator. I should be able to patch OnDemand to support multiple clients, it's a fairly easy change. |
Our goal was to have the containers wrapped up today so I'd say we should only do this if we're done with everything else, this is just a small change, and you're willing to do it. We want to uncomplicate this as much as possible so if having everything use Dex accomplishes that, I'm all for it. If this adds even more complexity, I would vote against it. |
So should we try to getting two more clients configured in Dex? Looks like XDMoD and Coldfront will both need clientID/secrets. Callback URIs are as follows: XDMoD Coldfront @treydock if it's easy to get this into OOD. Then @plessbd and I can work on getting the apps configured? I guess worst case it doesn't work and we can just revert back to what we have now? Having the other clients configured in Dex but not used shouldn't hurt anything. The only other thing we may want to do is just ensure OOD/Dex start early in the process to ensure Dex is ready before the other containers. |
@aebruno Yes, we just merged OSC/ondemand#589 which supports adding more clients. You'd need this in dex:
static_clients:
- id: xdmod
redirectURIs: ["https://localhost:4443/simplesaml/module.php/authglobus/linkback.php"]
name: XDMoD
secret: <some secret>
- id: coldfront
redirectURIs: ["https://localhost:2443/oidc/callback/"]
name: Coldfront
secret: <some secret>
...LDAP configs This has not yet been tested but that above is essentially what we do for OnDemand client configs inside Dex, just the OnDemand configs are auto generated based on other data in that file. The ability to use what I illustrated won't be possible until we have 1.8.3 tag and RPMs get built automatically through our pipeline once the tag is made. |
Also dex starting only won't be necessary...dex only has to be started before someone tries to authenticate. The services should start without dex, at least that's how it's supposed to work with OIDC. It's not actually contacted until authentication. |
This works great. I tested with Coldfront and #31 adds in Dex support. While we wait for 1.8.3 to be ready, it's pretty easy to test out. Following @treydock instructions, here's what I did in the ondemand container:
dex:
static_clients:
- id: xdmod
redirectURIs: ["https://localhost:4443/simplesaml/module.php/authglobus/linkback.php"]
name: XDMoD
secret: 1CyQBbVHkw37nZWJeS65ZeMPwlVXuTtkcj9qlUI7u6KnRoINzhfuBu0NpahKeNKT
- id: coldfront
redirectURIs: ["https://localhost:2443/oidc/callback/"]
name: Coldfront
secret: fY8MwkYymslM5aKTllcDTKUNgTmYgPQDwQ1GSSwTWX24Qsh4D1hbyDuyK7QnbHj3
connectors:
- type: ldap
...
@treydock let us know when 1.8.3 is ready to go and we'll just need to update |
I got it working in XDMoD. I'll update this to make it work while we work on a real update to XDMoD and create a new simplesaml auth module to replace globus with a properly configurable one... |
1.8.3 is available |
#38 has been merged. Looks like we have SSO between all the apps (minus logout). |
Currently, we have the following:
While all the above allows user logins with the same credentials (user/pass) it is not SSO. Further, it would seem XDMoD and OOD are actually two completely separate SSO systems. Please correct if I have anything wrong here.
Question for the team: Do we plan on creating a true SSO system to integrate all three applications for the tutorial? If so, how do we plan on doing that?
The text was updated successfully, but these errors were encountered: