abbra
commented
3 years ago I'll add MIT Kerberos build with Pavel's changes next week and we'll be able to create a test that goes through the whole pipeline.
Closed abbra closed 3 years ago
abbra
commented
3 years ago I'll add MIT Kerberos build with Pavel's changes next week and we'll be able to create a test that goes through the whole pipeline.
abbra
commented
3 years ago I need to adopt few tests to see the presence of ipaidpconfiglink attribute. Will work on that next week.
KDB: support IdP configuration
When IdP configuration is provided, take it into account:
idp-specific Kerberos ticket policy would be applied
Presence of IdP link in a Kerberos principal would cause KDB to request the KDC to first ask RADIUS server for an initial challenge and then supply the response in the communication with the client side of OTP pre-authentication as an OTP token to use
The latter requires additional changes from MIT Kerberos side.
Fixes: https://pagure.io/freeipa/issue/8824
External IdP: add idpUser object to be able to link to IdP
A link to IdP configuration needs to be stored in a user object. Handle it similarly to RADIUS proxy configuration link