In this article, we explain how to integrate identity management (IdM) in Red Hat Enterprise Linux (RHEL) with single sign-on (SSO) for Red Hat solutions.
Identity Management
IdM in RHEL is designed to simplify identity management within a Red Hat Enterprise Linux subscription. It provides a centralized and clear method for managing identities for users, machines and services within large Linux enterprise environments.
Single sign-on
SSO for Red Hat solutions is based on the Keycloak project and lets you provide streamline access to your web applications based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The SSO server can act as a SAML or OpenID Connect-based identity provider, mediating with your enterprise user directory or third-party SSO provider for identity information and your applications via standards-based tokens. Single sign-on for Red Hat solutions can also federate external user databases.
Here I'll show you how to integrate the IdM users into single sign-on for Red Hat solutions.
Initial state
The starting state of our environment is two separate RHEL 8 instances that are up and running and on the same network. One will run RHEL Identity Management and the other will run the single sign-on service.
Start by creating two fresh RHEL 8.X server virtual instances (downloadable here) and make sure that the machines are able to ping each other. I configured mine with 4GB of RAM and 20GB of storage.
If you have an existing RHEL system you can use to provision the virtual machines, you can use virtual machines in cockpit to spin up the blank RHEL instances and have them share a network.
If you have the proper RHEL subscriptions but some non-RHEL systems, you can also use VM VirtualBox to provision the machines. Here is a tutorial on how to use VirtualBox to create RHEL virtual machines. If using VirtualBox, you can use an internal network to make the machines talk to each other. You should add it as a second network and not replace the NAT adapter (internet connection is going to help).
From installation you can manually assign an IP address for the adapter. I used a manual IP of 192.168.1.1
for the Identity Management machine and 192.168.1.2
for the single sign-on service machine. Both have a netmask of 255.255.255.0
with the gateway empty.
Once you have the instances running with the proper network configuration, register both of the systems.
Tip: In VirtualBox you can also configure the virtual machines to copy and paste between the hosts by following this tutorial if that’s something you want to do for the instructions coming up. That or you can SSH into the machines.
Installing IdM
Now let’s install Identity Management on one of the RHEL machines. Full documentation can be found here.
This machine will act as our IdM server. First, log into the machine as the root user.
# su -
Next, set the hostname to idm.example.com:
# hostnamectl set-hostname idm.example.com
Then free up the ports in the firewall that IdM needs:
# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps} # firewall-cmd --reload
Then enable the idm:DL1 stream & switch to the RPMs delivered through it:
# yum module enable idm:DL1 # yum distro-sync
Then download the necessary packages for installing IdM with integrated DNS:
# yum module install idm:DL1/server
At this point you must turn off the network adapter that is linked to the internet, we won't need it on the IdM server for the next steps.
Then run this command to start an unattended installation with passwords of your choosing for the ds-password and admin-password. Remember the passwords:
# ipa-server-install --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended
Test the installation by logging into the admin user with the password set above
# kinit admin Password for admin@EXAMPLE.COM: admin_password
Then create a test user:
# ipa user-add --first Taco --last Bamba --email bamba@example.com taco
Installing SSO
Now let's install single sign-on for Red Hat solutions on the second machine. Full documentation can be found here.
First, switch to the second machine and log in as the root user.
# su -
Then, set the hostname to sso.example.com:
# hostnamectl set-hostname sso.example.com
You can install SSO by either downloading a ZIP file and unzipping or by using an RPM. We are going to use the Red Hat SSO 7.5 rpm repository.
# subscription-manager repos --enable=jb-eap-7.4-for-rhel-8-x86_64-rpms # subscription-manager repos --enable=rh-sso-7.5-for-rhel-8-x86_64-rpms # dnf groupinstall rh-sso7
After those three commands finish running, your installation is complete! Pretty simple, right? The default RH-SSO_HOME path for the RPM installation is:
/opt/rh/rh-sso7/root/usr/share/keycloak
Let’s examine the purpose of two of the directories inside of the installation we’ll be using:
bin/ |
This contains various scripts to either boot the server or perform some other management action on the server. |
standalone/ |
This contains configuration files and working directory when running single sign-on for Red Hat solutions in standalone mode |
Next you’re going to want to open the required firewall ports
# firewall-cmd --permanent --add-port=8080/tcp # firewall-cmd --permanent --add-port=9990/tcp # firewall-cmd --permanent --add-port=443/tcp # firewall-cmd --reload
Then in the standalone/configuration/standalone.xml
file, change the line that starts with <
socket-binding name=”https” port=”${jboss.https.port:8443}”/>
to <
socket-binding name=”https” port=”${jboss.https.port:443}”/>
.
Starting the single sign-on server
Now we'll start the SSO server.
Run the standalone.sh script (must be run as sudo or the root user). Running the service on 0.0.0.0 will have Keycloak listen on all IP addresses configured on the server.
# cd /opt/rh/rh-sso7/root/usr/share/keycloak/bin # ./standalone.sh -b=0.0.0.0
Single sign-on for Red Hat solutions does not have any configured admin account out of the box. You must create one on the Welcome Page located at http://localhost:8080/auth
on the single sign-on server. This account will allow you to create a user that can log into the master realm’s administration console so that you can start creating realms and users and registering applications to work with SSO.
I use admin
as the username. Make sure you remember these credentials.
Once you are logged in with the admin account, hover on the dropdown on the left in the navigation bar of the administrative console that says Master
and then click the Add Realm
button. Enter the name of the realm to be IdM
and leave it enabled.
Federate the user database in SSO
First download the packages necessary for installing an IdM client on the SSO machine:
# dnf install ipa-client
At this point you must turn off the network adapter that is linked to the internet, we won't need it on the SSO server for the next steps.
Then free up the ports in the firewall that the IdM client needs:
# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps} # firewall-cmd --reload
Now edit the /etc/hosts file and add the following at the bottom:
192.168.1.1 idm.example.com
Or if you have a different IP address for the IdM machine:
[ip of idm server] idm.example.com
Now we are going to register the SSO server with IdM using:
# ipa-client-install --domain example.com --server idm.example.com --realm EXAMPLE.COM Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: no Continue to configure the system with these values? [no]: yes … User authorized to enroll computers: admin Password for admin@EXAMPLE.COM: admin_password
Don’t worry if you see a message that says failed to update DNS records, it won’t cause any issues for what we are doing. If you see the last line as:
The ipa-client-install command was successful
…then you’re good to go. You can test it by running the following command and entering the admin password when prompted.
# kinit admin
Then go into the SSO application located at https://localhost:8080/auth
. Make sure you are in the IdM realm. On the left hand navigation menu, select the User Federation button under Configure. Then select `ldap` under the Add provider…
dropdown.
From here you can enter in the following properties:
Property |
Value |
Console Display Name |
IDM |
Priority |
0 |
Import Users |
ON |
Edit Mode |
READ_ONLY |
Sync Registrations |
Off |
Vendor |
Red Hat Directory Server |
Username LDAP attribute |
uid |
RDN LDAP attribute |
uid |
UUID LDAP attribute |
ipaUniqueID |
User Object Classes |
inetOrgPerson, organizationalPerson |
Connection URL |
ldaps://idm.example.com:636 |
Users DN |
cn=users,cn=accounts,dc=example,dc=com |
Search Scope |
One Level |
Bind Type |
simple |
Bind DN |
uid=admin,cn=users,cn=accounts,dc=example,dc=com |
Bind Credential |
Enter the password of the admin account. |
Click Save
and after you save it click Synchronize all users
. Navigate to the Users
button on the left navigation pane. Now when you click View all users
, you can expect to see your IdM test user listed there!
Now you have successfully integrated the IdM users into single sign-on for Red Hat solutions! In this article we installed two RHEL virtual machines, then configured one to run IdM and the other to run SSO. Then we configured SSO to federate users from the IdM server. From here you can start to add SSO for Red Hat solutions as an identity provider to any web application that supports SAML 2.0 or OpenID Connect and be able to login with your IdM credentials.
Sull'autore
Kush Gupta has been at Red Hat as an Associate Solution Architect since 2021, communicating the value of Red Hat technologies such as RHEL, Ansible and OpenShift. He also likes to explore the other parts of the portfolio including IdM and SSO. Gupta likes to read and play soccer in his free time
Altri risultati simili a questo
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit