Seamless single-sign-on
Beyond a “single pane of glass”
Organizations who use several machines often run management display software in an attempt to integrate all infrastructure. ManageIQ and Foreman are great examples of this kind of software.
Managing machines from the outside is usually adequate, but sometimes it’s best to log into the machine itself and have a look around. Cockpit excels in this task. In fact, both ManageIQ and Foreman have Cockpit integration built-in.
Seamless single-sign-on
Machine management software already has administrative access over the machines (both virtual and on bare metal), so there should not be a need to type credentials a second time.
Indeed, ManageIQ currently opens Cockpit in a seamless manner, using OAuth and external authentication helpers, all without requiring additional username and passwords.
Foreman currently does not have a seamless handover; it simply provides a standard link. As a result, when Foreman opens Cockpit, you’re greeted with the log in page.
How can we improve Foreman?
It would be ideal for Foreman to also have seamless Cockpit integration.
- As a first step, I have written a prototype based on what I have figured out so far in a
seamless-cockpit
git repo. - Additionally, I have also written a version that uses a reverse proxy on the
nginxed
branch. This approach is altogether nicer — but, before it works, we need to fix a Cockpit bug (#9237).
Test it out
If you are using Foreman to manage your machines and would seamless credentials handover, we welcome you to try out the above code — and please let us know how it works for you!