oVirt SAML with keyloak using 389ds user federation

In this post I will introduce how simple it is to integrate SAML with oVirt using Keycloak and LDAP user federation.

Prerequisites: I assume you have already setup the 389ds directory server, but the solution is very similar for any other LDAP provider. As SAML is not integrated into oVirt directly, we use Apache to do the SAML authentication for us. The mod_auth_mellon module nicely covers all needed functionality.

mod_auth_mellon configuration

First we need to configure oVirt's apache. SSH to the oVirt engine and create a directory where we'll store all SAML related certificates.

ssh root@engine
yum install -y mod_auth_mellon
mkdir -p /etc/httpd/saml2

When we install the mod_auth_mellon package, it will create /etc/httpd/conf.d/auth_mellon.conf. We need to modify this file to our needs, as follows:

<Location />
    MellonEnable "info"
    MellonDecoder "none"
    MellonVariable "cookie"
    MellonSecureCookie On
    MellonSessionDump On
    MellonSamlResponseDump On
    MellonSessionLength 86400

    MellonUser "NAME_ID"
    MellonEndpointPath /saml2

    MellonSPCertFile /etc/httpd/saml2/ovirtsp-cert.cert
    MellonSPPrivateKeyFile /etc/httpd/saml2/ovirtsp-key.key
    MellonSPMetadataFile /etc/httpd/saml2/ovirtsp-metadata.xml
    MellonIdPMetadataFile /etc/httpd/saml2/idp-metadata.xml

    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s
</Location>

<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer| Continue reading

oVirt SAML with keyloak using 389ds user federation

In this post I will introduce how simple it is to integrate SAML with oVirt using Keycloak and LDAP user federation.

Prerequisites: I assume you have already setup the 389ds directory server, but the solution is very similar for any other LDAP provider. As SAML is not integrated into oVirt directly, we use Apache to do the SAML authentication for us. The mod_auth_mellon module nicely covers all needed functionality.

mod_auth_mellon configuration

First we need to configure oVirt's apache. SSH to the oVirt engine and create a directory where we'll store all SAML related certificates.

ssh root@engine
yum install -y mod_auth_mellon
mkdir -p /etc/httpd/saml2

When we install the mod_auth_mellon package, it will create /etc/httpd/conf.d/auth_mellon.conf. We need to modify this file to our needs, as follows:

<Location />
    MellonEnable "info"
    MellonDecoder "none"
    MellonVariable "cookie"
    MellonSecureCookie On
    MellonSessionDump On
    MellonSamlResponseDump On
    MellonSessionLength 86400

    MellonUser "NAME_ID"
    MellonEndpointPath /saml2

    MellonSPCertFile /etc/httpd/saml2/ovirtsp-cert.cert
    MellonSPPrivateKeyFile /etc/httpd/saml2/ovirtsp-key.key
    MellonSPMetadataFile /etc/httpd/saml2/ovirtsp-metadata.xml
    MellonIdPMetadataFile /etc/httpd/saml2/idp-metadata.xml

    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
    RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
    RequestHeader set X-Remote-User %{REMOTE_USER}s
</Location>

<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/api>
  <If "req('Authorization') !~ /^(Bearer| Continue reading

Cisco and the Two-Factor Two-Step

In case you missed the news, Cisco announced yesterday that they are buying Duo Security. This is a great move on Cisco’s part. They need to beef up their security portfolio to compete against not only Palo Alto Networks but also against all the up-and-coming startups that are trying to solve problems that are largely being ignored by large enterprise security vendors. But how does an authentication vendor help Cisco?

Who Are You?

The world relies on passwords to run. Banks, email, and even your mobile device has some kind of passcode. We memorize them, write them down, or sometimes just use a password manager (like 1Password) to keep them safe. But passwords can be guessed. Trivial passwords are especially vulnerable. And when you factor in things like rainbow tables, it gets even scarier.

The most secure systems require you to have some additional form of authentication. You may have heard this termed as Two Factor Authentication (2FA). 2FA makes sure that no one is just going to be able to guess your password. The most commonly accepted forms of multi-factor authentication are:

  • Something You Know – Password, PIN, etc
  • Something You Have – Credit Card, Auth token, Continue reading

ISOC advocating IoT Trust at APAN 46

APAN 46 is being held on 5-9 August 2018 in Auckland, New Zealand, with the Internet Society being one of the sponsors. I’ll also be talking about IoT Security and the OTA IoT Trust Framework, as well as using the opportunity to continue to raise awareness of the MANRS Routing Security Initiative amongst network operators in the Asia-Pacific region.

The Asia Pacific Advanced Network (APAN) supports the research and education networks in the region to help them to connect to each other and to other R&E networks around the world, provides opportunities to exchange knowledge, and coordinates common activities, services and applications for its membership. It was established back in 1997, and this is the second of its two annual meetings for 2018.

I’ll be speaking during the Internet-of-Things session next Wednesday (8 August 2018 @ 09.00-10.30 UTC+12), and will discuss how IoT is responsible for huge growth in the number of unmanaged or minimally-managed devices connected to the Internet, but do we really know who or what is communicating with them, and the information they are collecting and sending? I’ll also present ISOC’s Online Trust Alliance’s initiative to develop the IoT Trust Framework which is backed Continue reading

Network World: Edge, Intent-based networking are all the rage; IT networking budgets rise

As distributed resources from wired, wireless, cloud and Internet of Things networks grow, the need for a more intelligent network edge is growing with it.Network World’s 8th annual State of the Network survey shows the growing importance of edge networking, finding that 56% of respondents have plans for edge computing in their organizations. [ Related: How to plan a software-defined data-center network ] Typically, edge networking entails sending data to a local device that includes compute, storage and network connectivity in a small form factor. Data is processed at the edge, and all or a portion of it is sent to the central processing or storage repository in a corporate data center or infrastructure-as-a-service (IaaS) cloud.To read this article in full, please click here

Network World: Edge, Intent-based networking are all the rage; IT networking budgets rise

As distributed resources from wired, wireless, cloud and Internet of Things networks grow, the need for a more intelligent network edge is growing with it.Network World’s 8th annual State of the Network survey shows the growing importance of edge networking, finding that 56% of respondents have plans for edge computing in their organizations. [ Related: How to plan a software-defined data-center network ] Typically, edge networking entails sending data to a local device that includes compute, storage and network connectivity in a small form factor. Data is processed at the edge, and all or a portion of it is sent to the central processing or storage repository in a corporate data center or infrastructure-as-a-service (IaaS) cloud.To read this article in full, please click here

Network World: Edge, Intent-based networking are all the rage; IT networking budgets rise

As distributed resources from wired, wireless, cloud and Internet of Things networks grow, the need for a more intelligent network edge is growing with it.Network World’s 8th annual State of the Network survey shows the growing importance of edge networking, finding that 56% of respondents have plans for edge computing in their organizations. [ Related: How to plan a software-defined data-center network ] Typically, edge networking entails sending data to a local device that includes compute, storage and network connectivity in a small form factor. Data is processed at the edge, and all or a portion of it is sent to the central processing or storage repository in a corporate data center or infrastructure-as-a-service (IaaS) cloud.To read this article in full, please click here

Worth Reading: Every Silver Lining has a Cloud

All the tools you built during those last two years work only because they have direct knowledge of the system components down to the metal, or at least as close to the metal as possible. Once you move a system into the cloud, your application is sharing resources with other, competing systems, and if you are taking advantage of elastic pricing, then your machines may not even be running until the cloud provider deems them necessary. —George V. Neville-Neil @ACM

Kernel of Truth episode 5 — HCI, agility and the physical network

Subscribe to Kernel of Truth on iTunes, Google Play, Spotify, Castbox and Stitcher!

Click here for our previous episode.

If you’ve been waiting for a tech-heavy deep dive, then you’re in luck. In this episode we’re getting REAL nerdy — so we decided to bring out the big guns and invite two of the industry’s biggest networking geeks to discuss hyper-converged infrastructure. Naturally, we got our fearless co-founder and CTO JR Rivers into the recording booth so he could share his wisdom (and crack a few jokes, as usual).

And who did we invite to go toe-to-toe with JR on networking knowledge? None other than the one and only Greg Ferro, co-founder of Packet Pushers! We couldn’t be more excited that Greg agreed to join us in the recording booth and share his industry insights.

So, what data center networking topic did we decide was meaty enough for these guys to chew on? Because Greg and JR are all about looking toward the future and analyzing what they see coming up on the horizon, this episode is dedicated to hyper-converged infrastructure (HCI). How is HCI changing the way we look at network architecture? We’ll discuss these topics Continue reading

PQ 152: An IETF Update On RIFT, BIER, SD-WAN And More

Today, an update on some compelling projects at IETF 102. Ours guest are Jeff Tantsura and Russ White.

We review the following projects to see what’s new and understand what problems they’re solving:

  • RIFT (Routing In Fat Trees)
  • BIER (Bit Indexed Explicit Replication)
  • PPR (Preferred Path Routing)
  • YANG data modeling

We also look at the state of SD-WAN, which is a bit of the Wild West, to look at standards and interoperability efforts underway.

Jeff is the Head of Technology Strategy at Nuage Networks. He’s also deeply involved with the IETF as the Chair of Routing Area Working Group, the Chair of Routing In Fat Trees, a Member of Internet Architecture Board, and a Member of IP Stack Evolution.

Jeff has recorded with us several times before, most recently on Priority Queue 126, where Greg chatted with Jeff about the future of data center fabrics. Jeff, welcome back to Packet Pushers.

Russ White is a network architect, author, and blogger. Rush also chairs the Interface to Routing System and the Babel routing protocol efforts at the IETF, and is a reviewer in the IETF’s Routing Area Directorate.

Show Links:

Jeff Tantsura IETF work – IETF

Russ White’s IETF work Continue reading

Growing the Cloudflare Apps Ecosystem

Growing the Cloudflare Apps Ecosystem

Starting today we are announcing the availability of two key pilot programs:

Why now? Over the course of past few months we've seen accelerating interest in Workers, and we frequently field the question on what we are doing to combine our growing ecosystem around Workers, and our unique deliverability capability, Cloudflare Apps. To meet this need, we have introduced two programs, Apps with Workers and Workers Service Providers. Let’s dig into the details:

First, we are announcing the upcoming availability of Cloudflare Apps, powered by embeddable Workers. This will allow any developer to build, deploy and in the near future package Workers to distribute to third parties, all using the Cloudflare Apps platform. It will be, in effect, the world's first serverless Apps platform.

Today, it's easy develop Workers using with our UI or API. The ability to App-ify Workers opens up a whole new promise to those who prefer to deal in clicks and not code. For our Apps developers, Apps with Workers allows for more complex Apps offerings running on Cloudflare, and for our customers the next generation in Apps. So, while we are actively putting the finishing touches on Continue reading

1 1,541 1,542 1,543 1,544 1,545 3,870