Support SAML where?

Remember, no TGT and nothing works.

See ticket 1098

SAML, OPenID, and oauth all do fundamentally the same thing: centralize authentication for HTTP. While IPA currently uses Kerberos for all Authentication, once we decide how to work around that for One Web SSO implementation, it will be trivial to support the others.

I suspect that the right solution is to use certificate based Auth, and then to determine an acceptable set of approaches for certificate distribution.

These are federation use cases. IMO it should be pretty simple. The peers would have to have a trust established via PKA or shared key and then this key or cert is used to sign the assertion of the authentication. This is how it all works in a nutshell.

This is something that will do when trusts work is done.

What about PicketLink IdP integration? Yeah, it's yet another service to install & manage and full PicketLink scope seems to overlap FreeIPA (identity management) but there are already Java bits installed on typical FreeIPA install (dogtag) and PicketLink seems modular enough to include just required bits so the overhead shouldn't be too big.

Our current answer to SAML is Ipsilon that integrates nicely both with FreeIPA and Kerberos. Simo can provide more details.

I am moving this ticket back to triage so that we can re-evaluate it.

AFAIU PicketLink can be used as IdP but IdP is not a direct feature of of PicketLink.
But bottom line is that we are working on different solutions to provide federation.

Belongs to 4.2 BTW.

Worked on by Nathan, Simo et. al. in the separate Ipsilon project.

This ticket can be closed as completed as soon as Ipsilon is officially stable and released.

Ipsilon release version 1.0.0 - see https://fedorahosted.org/ipsilon/wiki/Releases

Closing this ticket as completed!