This document describes how to set up an Ipsilon server that allows login from users with an IPA set up, including kerberos login for single sign on.
This guide has been tested with:
but is known to work with other versions.
On the server you want to use to run Ipsilon, run:
sudo yum install ipsilon ipsilon-infosssd ipsilon-saml2 ipsilon-authgssapi ipsilon-tools-ipa
To get the automated Kerberos set up, you need to have an admin kerberos ticket:
sudo kinit admin
Now, to set up Ipsilon, run:
sudo ipsilon-server-install --ipa=yes --info-sssd=yes --form=yes
After this, just restart the httpd service and you should be all set. Browsing to https://yourserver/idp/ should show you the Ipsilon welcome page, where you can login with your IPA credentials. By default, the user "admin" is the primary administrator for Ipsilon, but you can change that during ipsilon-server-install with --admin-user=myuser. (Note: if you get "Permission denied", please make sure you are using https:// to access it).
If you are running this on the same server that's also running IPA, you will need to make two small changes to make it play along, since IPA uses mod_nss, whereas Ipsilon sets up mod_ssl for TLS protection.
Since there already is a TLS library in use, you can move away the mod_ssl config file:
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig
When you try now, you will see a "Permission denied". That's because mod_ssl no longer tells Ipsilon that it's being used (which is correct). To make Ipsilon check that you use TLS against mod_nss, just change "SSLRequireSSL" to "NSSRequireSSL" in /etc/ipsilon/idp/idp.conf:
sed -i 's/\<SSL/NSS/' /etc/ipsilon/idp/idp.conf
After this, just restart httpd, and https://myserver/idp/ should make it all work.