Integrating identity management with single sign-on for Red Hat solutions

In this article, we explain how to integrate identity management (IdM) in Red Hat Enterprise Linux (RHEL) with single sign-on (SSO) for Red Hat solutions.

Identity Management

IdM in RHEL is designed to simplify identity management within a Red Hat Enterprise Linux subscription. It provides a centralized and clear method for managing identities for users, machines and services within large Linux enterprise environments.

Single sign-on

SSO for Red Hat solutions is based on the Keycloak project and lets you provide streamline access to your web applications based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The SSO server can act as a SAML or OpenID Connect-based identity provider, mediating with your enterprise user directory or third-party SSO provider for identity information and your applications via standards-based tokens. Single sign-on for Red Hat solutions can also federate external user databases.

Here I'll show you how to integrate the IdM users into single sign-on for Red Hat solutions.

Initial state

The starting state of our environment is two separate RHEL 8 instances that are up and running and on the same network. One will run RHEL Identity Management and the other will run the single sign-on service.

Start by creating two fresh RHEL 8.X server virtual instances (downloadable here) and make sure that the machines are able to ping each other. I configured mine with 4GB of RAM and 20GB of storage.

If you have an existing RHEL system you can use to provision the virtual machines, you can use virtual machines in cockpit to spin up the blank RHEL instances and have them share a network. 

If you have the proper RHEL subscriptions but some non-RHEL systems, you can also use VM VirtualBox to provision the machines. Here is a tutorial on how to use VirtualBox to create RHEL virtual machines. If using VirtualBox, you can use an internal network to make the machines talk to each other. You should add it as a second network and not replace the NAT adapter (internet connection is going to help). 

From installation you can manually assign an IP address for the adapter. I used a manual IP of 192.168.1.1 for the Identity Management machine and 192.168.1.2 for the single sign-on service machine. Both have a netmask of 255.255.255.0 with the gateway empty. 

Once you have the instances running with the proper network configuration, register both of the systems.

Tip: In VirtualBox you can also configure the virtual machines to copy and paste between the hosts by following this tutorial if that’s something you want to do for the instructions coming up. That or you can SSH into the machines.

Installing IdM

Now let’s install Identity Management on one of the RHEL machines. Full documentation can be found here.

This machine will act as our IdM server. First, log into the machine as the root user. 

# su -

Next, set the hostname to idm.example.com:

# hostnamectl set-hostname idm.example.com

Then free up the ports in the firewall that IdM needs: 

# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps}
# firewall-cmd --reload

Then enable the idm:DL1 stream & switch to the RPMs delivered through it:

# yum module enable idm:DL1
# yum distro-sync

Then download the necessary packages for installing IdM with integrated DNS:

# yum module install idm:DL1/server

At this point you must turn off the network adapter that is linked to the internet, we won't need it on the IdM server for the next steps.

Then run this command to start an unattended installation with passwords of your choosing for the ds-password and admin-password. Remember the passwords:

# ipa-server-install --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended

Test the installation by logging into the admin user with the password set above

# kinit admin
Password for admin@EXAMPLE.COM:  admin_password

Then create a test user:

#  ipa user-add --first Taco --last Bamba --email bamba@example.com taco

Installing SSO

Now let's  install single sign-on for Red Hat solutions on the second machine. Full documentation can be found here.

First, switch to the second machine and log in as the root user.

# su -

Then, set the hostname to sso.example.com:

# hostnamectl set-hostname sso.example.com

You can install SSO by either downloading a ZIP file and unzipping or by using an RPM. We are going to use the Red Hat SSO 7.5 rpm repository.

# subscription-manager repos --enable=jb-eap-7.4-for-rhel-8-x86_64-rpms 
# subscription-manager repos --enable=rh-sso-7.5-for-rhel-8-x86_64-rpms
# dnf groupinstall rh-sso7

After those three commands finish running, your installation is complete! Pretty simple, right? The default RH-SSO_HOME path for the RPM installation is:

/opt/rh/rh-sso7/root/usr/share/keycloak

Let’s examine the purpose of two of the directories inside of the installation we’ll be using:

Next you’re going to want to open the required firewall ports

# firewall-cmd --permanent --add-port=8080/tcp
# firewall-cmd --permanent --add-port=9990/tcp
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --reload

Then in the standalone/configuration/standalone.xml file, change the line that starts with <socket-binding name=”https” port=”${jboss.https.port:8443}”/> to <socket-binding name=”https” port=”${jboss.https.port:443}”/>.

Starting the single sign-on server

Now we'll start the SSO server.

Run the standalone.sh script (must be run as sudo or the root user). Running the service on 0.0.0.0 will have Keycloak listen on all IP addresses configured on the server.

# cd /opt/rh/rh-sso7/root/usr/share/keycloak/bin
# ./standalone.sh -b=0.0.0.0

Single sign-on for Red Hat solutions does not have any configured admin account out of the box. You must create one on the Welcome Page located at http://localhost:8080/auth on the single sign-on server. This account will allow you to create a user that can log into the master realm’s administration console so that you can start creating realms and users and registering applications to work with SSO. 

I use admin as the username. Make sure you remember these credentials.

Once you are logged in with the admin account, hover on the dropdown on the left in the navigation bar of the administrative console that says Master and then click the Add Realm  button. Enter the name of the realm to be IdM and leave it enabled.

Federate the user database in SSO

First download the packages necessary for installing an IdM client on the SSO machine:

# dnf install ipa-client

At this point you must turn off the network adapter that is linked to the internet, we won't need it on the SSO server for the next steps.

Then free up the ports in the firewall that the IdM client needs: 

# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps}
# firewall-cmd --reload

Now edit the /etc/hosts file and add the following at the bottom:

192.168.1.1 idm.example.com

Or if you have a different IP address for the IdM machine:

[ip of idm server] idm.example.com

Now we are going to register the SSO server with IdM using:

# ipa-client-install  --domain example.com --server idm.example.com --realm EXAMPLE.COM
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: no
Continue to configure the system with these values? [no]: yes
…
User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM: admin_password

Don’t worry if you see a message that says failed to update DNS records, it won’t cause any issues for what we are doing. If you see the last line as: 

The ipa-client-install command was successful

…then you’re good to go. You can test it by running the following command and entering the admin password when prompted.

# kinit admin

Then go into the SSO application located at https://localhost:8080/auth. Make sure you are in the IdM realm. On the left hand navigation menu, select the User Federation button under Configure. Then select `ldap` under the Add provider… dropdown.

From here you can enter in the following properties:

Click Save and after you save it click Synchronize all users. Navigate to the Users button on the left navigation pane. Now when you click View all users, you can expect to see your IdM test user listed there! 

Now you have successfully integrated the IdM users into single sign-on for Red Hat solutions! In this article we installed two RHEL virtual machines, then configured one to run IdM and the other to run SSO. Then we configured SSO to federate users from the IdM server. From here you can start to add SSO for Red Hat solutions as an identity provider to any web application that supports SAML 2.0 or OpenID Connect and be able to login with your IdM credentials.