In this article, we explain how to integrate identity management (IdM) in Red Hat Enterprise Linux (RHEL) with single sign-on (SSO) for Red Hat solutions.
Identity Management
IdM in RHEL is designed to simplify identity management within a Red Hat Enterprise Linux subscription. It provides a centralized and clear method for managing identities for users, machines and services within large Linux enterprise environments.
Single sign-on
SSO for Red Hat solutions is based on the Keycloak project and lets you provide streamline access to your web applications based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The SSO server can act as a SAML or OpenID Connect-based identity provider, mediating with your enterprise user directory or third-party SSO provider for identity information and your applications via standards-based tokens. Single sign-on for Red Hat solutions can also federate external user databases.
Here I'll show you how to integrate the IdM users into single sign-on for Red Hat solutions.
Initial state
The starting state of our environment is two separate RHEL 8 instances that are up and running and on the same network. One will run RHEL Identity Management and the other will run the single sign-on service.
Start by creating two fresh RHEL 8.X server virtual instances (downloadable here) and make sure that the machines are able to ping each other. I configured mine with 4GB of RAM and 20GB of storage.
If you have an existing RHEL system you can use to provision the virtual machines, you can use virtual machines in cockpit to spin up the blank RHEL instances and have them share a network.
If you have the proper RHEL subscriptions but some non-RHEL systems, you can also use VM VirtualBox to provision the machines. Here is a tutorial on how to use VirtualBox to create RHEL virtual machines. If using VirtualBox, you can use an internal network to make the machines talk to each other. You should add it as a second network and not replace the NAT adapter (internet connection is going to help).
From installation you can manually assign an IP address for the adapter. I used a manual IP of 192.168.1.1
for the Identity Management machine and 192.168.1.2
for the single sign-on service machine. Both have a netmask of 255.255.255.0
with the gateway empty.
Once you have the instances running with the proper network configuration, register both of the systems.
Tip: In VirtualBox you can also configure the virtual machines to copy and paste between the hosts by following this tutorial if that’s something you want to do for the instructions coming up. That or you can SSH into the machines.
Installing IdM
Now let’s install Identity Management on one of the RHEL machines. Full documentation can be found here.
This machine will act as our IdM server. First, log into the machine as the root user.
# su -
Next, set the hostname to idm.example.com:
# hostnamectl set-hostname idm.example.com
Then free up the ports in the firewall that IdM needs:
# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps} # firewall-cmd --reload
Then enable the idm:DL1 stream & switch to the RPMs delivered through it:
# yum module enable idm:DL1 # yum distro-sync
Then download the necessary packages for installing IdM with integrated DNS:
# yum module install idm:DL1/server
At this point you must turn off the network adapter that is linked to the internet, we won't need it on the IdM server for the next steps.
Then run this command to start an unattended installation with passwords of your choosing for the ds-password and admin-password. Remember the passwords:
# ipa-server-install --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended
Test the installation by logging into the admin user with the password set above
# kinit admin Password for admin@EXAMPLE.COM: admin_password
Then create a test user:
# ipa user-add --first Taco --last Bamba --email bamba@example.com taco
Installing SSO
Now let's install single sign-on for Red Hat solutions on the second machine. Full documentation can be found here.
First, switch to the second machine and log in as the root user.
# su -
Then, set the hostname to sso.example.com:
# hostnamectl set-hostname sso.example.com
You can install SSO by either downloading a ZIP file and unzipping or by using an RPM. We are going to use the Red Hat SSO 7.5 rpm repository.
# subscription-manager repos --enable=jb-eap-7.4-for-rhel-8-x86_64-rpms # subscription-manager repos --enable=rh-sso-7.5-for-rhel-8-x86_64-rpms # dnf groupinstall rh-sso7
After those three commands finish running, your installation is complete! Pretty simple, right? The default RH-SSO_HOME path for the RPM installation is:
/opt/rh/rh-sso7/root/usr/share/keycloak
Let’s examine the purpose of two of the directories inside of the installation we’ll be using:
bin/ |
This contains various scripts to either boot the server or perform some other management action on the server. |
standalone/ |
This contains configuration files and working directory when running single sign-on for Red Hat solutions in standalone mode |
Next you’re going to want to open the required firewall ports
# firewall-cmd --permanent --add-port=8080/tcp # firewall-cmd --permanent --add-port=9990/tcp # firewall-cmd --permanent --add-port=443/tcp # firewall-cmd --reload
Then in the standalone/configuration/standalone.xml
file, change the line that starts with <
socket-binding name=”https” port=”${jboss.https.port:8443}”/>
to <
socket-binding name=”https” port=”${jboss.https.port:443}”/>
.
Starting the single sign-on server
Now we'll start the SSO server.
Run the standalone.sh script (must be run as sudo or the root user). Running the service on 0.0.0.0 will have Keycloak listen on all IP addresses configured on the server.
# cd /opt/rh/rh-sso7/root/usr/share/keycloak/bin # ./standalone.sh -b=0.0.0.0
Single sign-on for Red Hat solutions does not have any configured admin account out of the box. You must create one on the Welcome Page located at http://localhost:8080/auth
on the single sign-on server. This account will allow you to create a user that can log into the master realm’s administration console so that you can start creating realms and users and registering applications to work with SSO.
I use admin
as the username. Make sure you remember these credentials.
Once you are logged in with the admin account, hover on the dropdown on the left in the navigation bar of the administrative console that says Master
and then click the Add Realm
button. Enter the name of the realm to be IdM
and leave it enabled.
Federate the user database in SSO
First download the packages necessary for installing an IdM client on the SSO machine:
# dnf install ipa-client
At this point you must turn off the network adapter that is linked to the internet, we won't need it on the SSO server for the next steps.
Then free up the ports in the firewall that the IdM client needs:
# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps} # firewall-cmd --reload
Now edit the /etc/hosts file and add the following at the bottom:
192.168.1.1 idm.example.com
Or if you have a different IP address for the IdM machine:
[ip of idm server] idm.example.com
Now we are going to register the SSO server with IdM using:
# ipa-client-install --domain example.com --server idm.example.com --realm EXAMPLE.COM Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: no Continue to configure the system with these values? [no]: yes … User authorized to enroll computers: admin Password for admin@EXAMPLE.COM: admin_password
Don’t worry if you see a message that says failed to update DNS records, it won’t cause any issues for what we are doing. If you see the last line as:
The ipa-client-install command was successful
…then you’re good to go. You can test it by running the following command and entering the admin password when prompted.
# kinit admin
Then go into the SSO application located at https://localhost:8080/auth
. Make sure you are in the IdM realm. On the left hand navigation menu, select the User Federation button under Configure. Then select `ldap` under the Add provider…
dropdown.
From here you can enter in the following properties:
Property |
Value |
Console Display Name |
IDM |
Priority |
0 |
Import Users |
ON |
Edit Mode |
READ_ONLY |
Sync Registrations |
Off |
Vendor |
Red Hat Directory Server |
Username LDAP attribute |
uid |
RDN LDAP attribute |
uid |
UUID LDAP attribute |
ipaUniqueID |
User Object Classes |
inetOrgPerson, organizationalPerson |
Connection URL |
ldaps://idm.example.com:636 |
Users DN |
cn=users,cn=accounts,dc=example,dc=com |
Search Scope |
One Level |
Bind Type |
simple |
Bind DN |
uid=admin,cn=users,cn=accounts,dc=example,dc=com |
Bind Credential |
Enter the password of the admin account. |
Click Save
and after you save it click Synchronize all users
. Navigate to the Users
button on the left navigation pane. Now when you click View all users
, you can expect to see your IdM test user listed there!
Now you have successfully integrated the IdM users into single sign-on for Red Hat solutions! In this article we installed two RHEL virtual machines, then configured one to run IdM and the other to run SSO. Then we configured SSO to federate users from the IdM server. From here you can start to add SSO for Red Hat solutions as an identity provider to any web application that supports SAML 2.0 or OpenID Connect and be able to login with your IdM credentials.
저자 소개
Kush Gupta has been at Red Hat as an Associate Solution Architect since 2021, communicating the value of Red Hat technologies such as RHEL, Ansible and OpenShift. He also likes to explore the other parts of the portfolio including IdM and SSO. Gupta likes to read and play soccer in his free time
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.