In this article, we explain how to integrate identity management (IdM) in Red Hat Enterprise Linux (RHEL) with single sign-on (SSO) for Red Hat solutions.
Identity Management
IdM in RHEL is designed to simplify identity management within a Red Hat Enterprise Linux subscription. It provides a centralized and clear method for managing identities for users, machines and services within large Linux enterprise environments.
Single sign-on
SSO for Red Hat solutions is based on the Keycloak project and lets you provide streamline access to your web applications based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The SSO server can act as a SAML or OpenID Connect-based identity provider, mediating with your enterprise user directory or third-party SSO provider for identity information and your applications via standards-based tokens. Single sign-on for Red Hat solutions can also federate external user databases.
Here I'll show you how to integrate the IdM users into single sign-on for Red Hat solutions.
Initial state
The starting state of our environment is two separate RHEL 8 instances that are up and running and on the same network. One will run RHEL Identity Management and the other will run the single sign-on service.
Start by creating two fresh RHEL 8.X server virtual instances (downloadable here) and make sure that the machines are able to ping each other. I configured mine with 4GB of RAM and 20GB of storage.
If you have an existing RHEL system you can use to provision the virtual machines, you can use virtual machines in cockpit to spin up the blank RHEL instances and have them share a network.
If you have the proper RHEL subscriptions but some non-RHEL systems, you can also use VM VirtualBox to provision the machines. Here is a tutorial on how to use VirtualBox to create RHEL virtual machines. If using VirtualBox, you can use an internal network to make the machines talk to each other. You should add it as a second network and not replace the NAT adapter (internet connection is going to help).
From installation you can manually assign an IP address for the adapter. I used a manual IP of 192.168.1.1
for the Identity Management machine and 192.168.1.2
for the single sign-on service machine. Both have a netmask of 255.255.255.0
with the gateway empty.
Once you have the instances running with the proper network configuration, register both of the systems.
Tip: In VirtualBox you can also configure the virtual machines to copy and paste between the hosts by following this tutorial if that’s something you want to do for the instructions coming up. That or you can SSH into the machines.
Installing IdM
Now let’s install Identity Management on one of the RHEL machines. Full documentation can be found here.
This machine will act as our IdM server. First, log into the machine as the root user.
# su -
Next, set the hostname to idm.example.com:
# hostnamectl set-hostname idm.example.com
Then free up the ports in the firewall that IdM needs:
# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps} # firewall-cmd --reload
Then enable the idm:DL1 stream & switch to the RPMs delivered through it:
# yum module enable idm:DL1 # yum distro-sync
Then download the necessary packages for installing IdM with integrated DNS:
# yum module install idm:DL1/server
At this point you must turn off the network adapter that is linked to the internet, we won't need it on the IdM server for the next steps.
Then run this command to start an unattended installation with passwords of your choosing for the ds-password and admin-password. Remember the passwords:
# ipa-server-install --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended
Test the installation by logging into the admin user with the password set above
# kinit admin Password for admin@EXAMPLE.COM: admin_password
Then create a test user:
# ipa user-add --first Taco --last Bamba --email bamba@example.com taco
Installing SSO
Now let's install single sign-on for Red Hat solutions on the second machine. Full documentation can be found here.
First, switch to the second machine and log in as the root user.
# su -
Then, set the hostname to sso.example.com:
# hostnamectl set-hostname sso.example.com
You can install SSO by either downloading a ZIP file and unzipping or by using an RPM. We are going to use the Red Hat SSO 7.5 rpm repository.
# subscription-manager repos --enable=jb-eap-7.4-for-rhel-8-x86_64-rpms # subscription-manager repos --enable=rh-sso-7.5-for-rhel-8-x86_64-rpms # dnf groupinstall rh-sso7
After those three commands finish running, your installation is complete! Pretty simple, right? The default RH-SSO_HOME path for the RPM installation is:
/opt/rh/rh-sso7/root/usr/share/keycloak
Let’s examine the purpose of two of the directories inside of the installation we’ll be using:
bin/ |
This contains various scripts to either boot the server or perform some other management action on the server. |
standalone/ |
This contains configuration files and working directory when running single sign-on for Red Hat solutions in standalone mode |
Next you’re going to want to open the required firewall ports
# firewall-cmd --permanent --add-port=8080/tcp # firewall-cmd --permanent --add-port=9990/tcp # firewall-cmd --permanent --add-port=443/tcp # firewall-cmd --reload
Then in the standalone/configuration/standalone.xml
file, change the line that starts with <
socket-binding name=”https” port=”${jboss.https.port:8443}”/>
to <
socket-binding name=”https” port=”${jboss.https.port:443}”/>
.
Starting the single sign-on server
Now we'll start the SSO server.
Run the standalone.sh script (must be run as sudo or the root user). Running the service on 0.0.0.0 will have Keycloak listen on all IP addresses configured on the server.
# cd /opt/rh/rh-sso7/root/usr/share/keycloak/bin # ./standalone.sh -b=0.0.0.0
Single sign-on for Red Hat solutions does not have any configured admin account out of the box. You must create one on the Welcome Page located at http://localhost:8080/auth
on the single sign-on server. This account will allow you to create a user that can log into the master realm’s administration console so that you can start creating realms and users and registering applications to work with SSO.
I use admin
as the username. Make sure you remember these credentials.
Once you are logged in with the admin account, hover on the dropdown on the left in the navigation bar of the administrative console that says Master
and then click the Add Realm
button. Enter the name of the realm to be IdM
and leave it enabled.
Federate the user database in SSO
First download the packages necessary for installing an IdM client on the SSO machine:
# dnf install ipa-client
At this point you must turn off the network adapter that is linked to the internet, we won't need it on the SSO server for the next steps.
Then free up the ports in the firewall that the IdM client needs:
# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps} # firewall-cmd --reload
Now edit the /etc/hosts file and add the following at the bottom:
192.168.1.1 idm.example.com
Or if you have a different IP address for the IdM machine:
[ip of idm server] idm.example.com
Now we are going to register the SSO server with IdM using:
# ipa-client-install --domain example.com --server idm.example.com --realm EXAMPLE.COM Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: no Continue to configure the system with these values? [no]: yes … User authorized to enroll computers: admin Password for admin@EXAMPLE.COM: admin_password
Don’t worry if you see a message that says failed to update DNS records, it won’t cause any issues for what we are doing. If you see the last line as:
The ipa-client-install command was successful
…then you’re good to go. You can test it by running the following command and entering the admin password when prompted.
# kinit admin
Then go into the SSO application located at https://localhost:8080/auth
. Make sure you are in the IdM realm. On the left hand navigation menu, select the User Federation button under Configure. Then select `ldap` under the Add provider…
dropdown.
From here you can enter in the following properties:
Property |
Value |
Console Display Name |
IDM |
Priority |
0 |
Import Users |
ON |
Edit Mode |
READ_ONLY |
Sync Registrations |
Off |
Vendor |
Red Hat Directory Server |
Username LDAP attribute |
uid |
RDN LDAP attribute |
uid |
UUID LDAP attribute |
ipaUniqueID |
User Object Classes |
inetOrgPerson, organizationalPerson |
Connection URL |
ldaps://idm.example.com:636 |
Users DN |
cn=users,cn=accounts,dc=example,dc=com |
Search Scope |
One Level |
Bind Type |
simple |
Bind DN |
uid=admin,cn=users,cn=accounts,dc=example,dc=com |
Bind Credential |
Enter the password of the admin account. |
Click Save
and after you save it click Synchronize all users
. Navigate to the Users
button on the left navigation pane. Now when you click View all users
, you can expect to see your IdM test user listed there!
Now you have successfully integrated the IdM users into single sign-on for Red Hat solutions! In this article we installed two RHEL virtual machines, then configured one to run IdM and the other to run SSO. Then we configured SSO to federate users from the IdM server. From here you can start to add SSO for Red Hat solutions as an identity provider to any web application that supports SAML 2.0 or OpenID Connect and be able to login with your IdM credentials.
Sobre o autor
Kush Gupta has been at Red Hat as an Associate Solution Architect since 2021, communicating the value of Red Hat technologies such as RHEL, Ansible and OpenShift. He also likes to explore the other parts of the portfolio including IdM and SSO. Gupta likes to read and play soccer in his free time
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Programas originais
Veja as histórias divertidas de criadores e líderes em tecnologia empresarial
Produtos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Red Hat Cloud Services
- Veja todos os produtos
Ferramentas
- Treinamento e certificação
- Minha conta
- Suporte ao cliente
- Recursos para desenvolvedores
- Encontre um parceiro
- Red Hat Ecosystem Catalog
- Calculadora de valor Red Hat
- Documentação
Experimente, compre, venda
Comunicação
- Contate o setor de vendas
- Fale com o Atendimento ao Cliente
- Contate o setor de treinamento
- Redes sociais
Sobre a Red Hat
A Red Hat é a líder mundial em soluções empresariais open source como Linux, nuvem, containers e Kubernetes. Fornecemos soluções robustas que facilitam o trabalho em diversas plataformas e ambientes, do datacenter principal até a borda da rede.
Selecione um idioma
Red Hat legal and privacy links
- Sobre a Red Hat
- Oportunidades de emprego
- Eventos
- Escritórios
- Fale com a Red Hat
- Blog da Red Hat
- Diversidade, equidade e inclusão
- Cool Stuff Store
- Red Hat Summit