Single Sign On between Applications

[aebruno]

Currently, we have the following:

1. OOD running Dex (backed by LDAP container IdP)
2. XDMoD running SAML? (backed by LDAP container IdP)
3. Coldfront authenticating via LDAP directly

While all the above allows user logins with the same credentials (user/pass) it is not SSO. Further, it would seem XDMoD and OOD are actually two completely separate SSO systems. Please correct if I have anything wrong here.

Question for the team: Do we plan on creating a true SSO system to integrate all three applications for the tutorial? If so, how do we plan on doing that?

[plessbd]

I do not think we plan on creating a true SSO system for this tutorial.

[aebruno]

I do not think we plan on creating a true SSO system for this tutorial.

Sounds good. Does this impact the XDMoD -> OOD integration at all? Or is that currently working enough to demo in the tutorial?

[plessbd]

User will have to login to OpenXDMoD and then Login to OOD, then everything should be fine as far as I know...

[aebruno]

Looping @treydock @ericfranz in case they have any feedback from the OOD side.

[plessbd]

The other option is getting Dex to talk to Open XDMoD, I think we easily modify the https://github.com/ubccr/simplesamlphp-module-authglobus to support DEX with a small diff in the xdmod container on /usr/share/xdmod/vendor/simplesamlphp/simplesamlphp/modules/authglobus/lib/Auth/Source/Globus.php
I think DEX will need a callback url of https://localhost:4443/simplesaml/module.php/authglobus/linkback.php for Open XDMoD, then we just need to the key and secret placed somewhere for Open XDMoD to use it.

[treydock]

So to have a second client for Dex would require code changes to OnDemand or require this repo to push out a static dex.yaml that is normally generated by ood-portal-generator. I should be able to patch OnDemand to support multiple clients, it's a fairly easy change.

[treydock]

OSC/ondemand#589

[dsajdak]

Our goal was to have the containers wrapped up today so I'd say we should only do this if we're done with everything else, this is just a small change, and you're willing to do it. We want to uncomplicate this as much as possible so if having everything use Dex accomplishes that, I'm all for it. If this adds even more complexity, I would vote against it.

[aebruno]

So should we try to getting two more clients configured in Dex? Looks like XDMoD and Coldfront will both need clientID/secrets. Callback URIs are as follows:

XDMoD

• https://localhost:4443/simplesaml/module.php/authglobus/linkback.php

Coldfront

• https://localhost:2443/oidc/callback/

@treydock if it's easy to get this into OOD. Then @plessbd and I can work on getting the apps configured? I guess worst case it doesn't work and we can just revert back to what we have now? Having the other clients configured in Dex but not used shouldn't hurt anything.

The only other thing we may want to do is just ensure OOD/Dex start early in the process to ensure Dex is ready before the other containers.

[treydock]

@aebruno Yes, we just merged OSC/ondemand#589 which supports adding more clients.

You'd need this in ood_portal.yml:

dex:
  static_clients:
  - id: xdmod
     redirectURIs: ["https://localhost:4443/simplesaml/module.php/authglobus/linkback.php"]
     name: XDMoD
     secret: <some secret>
  - id: coldfront
     redirectURIs: ["https://localhost:2443/oidc/callback/"]
     name: Coldfront
     secret: <some secret>
...LDAP configs

This has not yet been tested but that above is essentially what we do for OnDemand client configs inside Dex, just the OnDemand configs are auto generated based on other data in that file. The ability to use what I illustrated won't be possible until we have 1.8.3 tag and RPMs get built automatically through our pipeline once the tag is made.

[treydock]

Also dex starting only won't be necessary...dex only has to be started before someone tries to authenticate. The services should start without dex, at least that's how it's supposed to work with OIDC. It's not actually contacted until authentication.

[aebruno]

This has not yet been tested but that above is essentially what we do for OnDemand client configs inside Dex, just the OnDemand configs are auto generated based on other data in that file. The ability to use what I illustrated won't be possible until we have 1.8.3 tag and RPMs get built automatically through our pipeline once the tag is made.

This works great. I tested with Coldfront and #31 adds in Dex support. While we wait for 1.8.3 to be ready, it's pretty easy to test out. Following @treydock instructions, here's what I did in the ondemand container:

1. Manually patch /opt/ood/ood-portal-generator/lib/ood_portal_generator/dex.rb per Allow additional Dex clients to be defined OSC/ondemand#589

2. Edit /etc/ood/config/ood_portal.yml and add in the following lines:

dex:
  static_clients:
    - id: xdmod
      redirectURIs: ["https://localhost:4443/simplesaml/module.php/authglobus/linkback.php"]
      name: XDMoD
      secret: 1CyQBbVHkw37nZWJeS65ZeMPwlVXuTtkcj9qlUI7u6KnRoINzhfuBu0NpahKeNKT
    - id: coldfront
      redirectURIs: ["https://localhost:2443/oidc/callback/"]
      name: Coldfront
      secret: fY8MwkYymslM5aKTllcDTKUNgTmYgPQDwQ1GSSwTWX24Qsh4D1hbyDuyK7QnbHj3
  connectors:
    - type: ldap
...

3. Update portal config and restart dex:

$ /opt/ood/ood-portal-generator/sbin/update_ood_portal
$ ps aux | grep dex
$ kill -kill 23
$ gosu ondemand-dex /usr/sbin/ondemand-dex serve /etc/ood/dex/config.yaml &

@treydock let us know when 1.8.3 is ready to go and we'll just need to update ood_portal.yml in the ondemand container configs to use the above settings.

[plessbd]

I got it working in XDMoD. I'll update this to make it work while we work on a real update to XDMoD and create a new simplesaml auth module to replace globus with a properly configurable one...

[ericfranz]

1.8.3 is available

[aebruno]

#32 and #31 have been merged. @plessbd let us know if you run into any issues with XDMoD/Dex.

[aebruno]

#38 has been merged. Looks like we have SSO between all the apps (minus logout).