Account 登录

In this article, we explain how to integrate identity management (IdM) in Red Hat Enterprise Linux (RHEL) with single sign-on (SSO) for Red Hat solutions.

Identity Management

IdM in RHEL is designed to simplify identity management within a Red Hat Enterprise Linux subscription. It provides a centralized and clear method for managing identities for users, machines and services within large Linux enterprise environments.

Single sign-on

SSO for Red Hat solutions is based on the Keycloak project and lets you provide streamline access to your web applications based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The SSO server can act as a SAML or OpenID Connect-based identity provider, mediating with your enterprise user directory or third-party SSO provider for identity information and your applications via standards-based tokens. Single sign-on for Red Hat solutions can also federate external user databases.

Here I'll show you how to integrate the IdM users into single sign-on for Red Hat solutions.

Initial state

The starting state of our environment is two separate RHEL 8 instances that are up and running and on the same network. One will run RHEL Identity Management and the other will run the single sign-on service.

Start by creating two fresh RHEL 8.X server virtual instances (downloadable here) and make sure that the machines are able to ping each other. I configured mine with 4GB of RAM and 20GB of storage.

If you have an existing RHEL system you can use to provision the virtual machines, you can use virtual machines in cockpit to spin up the blank RHEL instances and have them share a network. 

If you have the proper RHEL subscriptions but some non-RHEL systems, you can also use VM VirtualBox to provision the machines. Here is a tutorial on how to use VirtualBox to create RHEL virtual machines. If using VirtualBox, you can use an internal network to make the machines talk to each other. You should add it as a second network and not replace the NAT adapter (internet connection is going to help). 

From installation you can manually assign an IP address for the adapter. I used a manual IP of for the Identity Management machine and for the single sign-on service machine. Both have a netmask of with the gateway empty. 

Once you have the instances running with the proper network configuration, register both of the systems.

Tip: In VirtualBox you can also configure the virtual machines to copy and paste between the hosts by following this tutorial if that’s something you want to do for the instructions coming up. That or you can SSH into the machines.

Installing IdM

Now let’s install Identity Management on one of the RHEL machines. Full documentation can be found here.

This machine will act as our IdM server. First, log into the machine as the root user. 

# su -

Next, set the hostname to

# hostnamectl set-hostname

Then free up the ports in the firewall that IdM needs: 

# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps}
# firewall-cmd --reload

Then enable the idm:DL1 stream & switch to the RPMs delivered through it:

# yum module enable idm:DL1
# yum distro-sync

Then download the necessary packages for installing IdM with integrated DNS:

# yum module install idm:DL1/server

At this point you must turn off the network adapter that is linked to the internet, we won't need it on the IdM server for the next steps.

Then run this command to start an unattended installation with passwords of your choosing for the ds-password and admin-password. Remember the passwords:

# ipa-server-install --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended

Test the installation by logging into the admin user with the password set above

# kinit admin
Password for admin@EXAMPLE.COM:  admin_password

Then create a test user:

#  ipa user-add --first Taco --last Bamba --email taco

Installing SSO

Now let's  install single sign-on for Red Hat solutions on the second machine. Full documentation can be found here.

First, switch to the second machine and log in as the root user.

# su -

Then, set the hostname to

# hostnamectl set-hostname

You can install SSO by either downloading a ZIP file and unzipping or by using an RPM. We are going to use the Red Hat SSO 7.5 rpm repository.

# subscription-manager repos --enable=jb-eap-7.4-for-rhel-8-x86_64-rpms 
# subscription-manager repos --enable=rh-sso-7.5-for-rhel-8-x86_64-rpms
# dnf groupinstall rh-sso7

After those three commands finish running, your installation is complete! Pretty simple, right? The default RH-SSO_HOME path for the RPM installation is:


Let’s examine the purpose of two of the directories inside of the installation we’ll be using:


This contains various scripts to either boot the server or perform some other management action on the server.


This contains configuration files and working directory when running single sign-on for Red Hat solutions in standalone mode

Next you’re going to want to open the required firewall ports

# firewall-cmd --permanent --add-port=8080/tcp
# firewall-cmd --permanent --add-port=9990/tcp
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --reload

Then in the standalone/configuration/standalone.xml file, change the line that starts with <socket-binding name="https" port="${jboss.https.port:8443}"/> to <socket-binding name="https" port="${jboss.https.port:443}"/>.

Starting the single sign-on server

Now we'll start the SSO server.

Run the script (must be run as sudo or the root user). Running the service on will have Keycloak listen on all IP addresses configured on the server.

# cd /opt/rh/rh-sso7/root/usr/share/keycloak/bin
# ./ -b=

Single sign-on for Red Hat solutions does not have any configured admin account out of the box. You must create one on the Welcome Page located at http://localhost:8080/auth on the single sign-on server. This account will allow you to create a user that can log into the master realm’s administration console so that you can start creating realms and users and registering applications to work with SSO. 

I use admin as the username. Make sure you remember these credentials.

Once you are logged in with the admin account, hover on the dropdown on the left in the navigation bar of the administrative console that says Master and then click the Add Realm  button. Enter the name of the realm to be IdM and leave it enabled.

Federate the user database in SSO

First download the packages necessary for installing an IdM client on the SSO machine:

# dnf install ipa-client

At this point you must turn off the network adapter that is linked to the internet, we won't need it on the SSO server for the next steps.

Then free up the ports in the firewall that the IdM client needs: 

# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps}
# firewall-cmd --reload

Now edit the /etc/hosts file and add the following at the bottom:

Or if you have a different IP address for the IdM machine:

[ip of idm server]

Now we are going to register the SSO server with IdM using:

# ipa-client-install  --domain --server --realm EXAMPLE.COM
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: no
Continue to configure the system with these values? [no]: yes

User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM: admin_password

Don’t worry if you see a message that says failed to update DNS records, it won’t cause any issues for what we are doing. If you see the last line as: 

The ipa-client-install command was successful

…then you’re good to go. You can test it by running the following command and entering the admin password when prompted.

# kinit admin

Then go into the SSO application located at https://localhost:8080/auth. Make sure you are in the IdM realm. On the left hand navigation menu, select the User Federation button under Configure. Then select `ldap` under the Add provider… dropdown.

From here you can enter in the following properties:



Console Display Name




Import Users


Edit Mode


Sync Registrations



Red Hat Directory Server

Username LDAP attribute


RDN LDAP attribute


UUID LDAP attribute


User Object Classes

inetOrgPerson, organizationalPerson

Connection URL


Users DN


Search Scope

One Level

Bind Type


Bind DN


Bind Credential

Enter the password of the admin account.


Click Save and after you save it click Synchronize all users. Navigate to the Users button on the left navigation pane. Now when you click View all users, you can expect to see your IdM test user listed there! 

Now you have successfully integrated the IdM users into single sign-on for Red Hat solutions! In this article we installed two RHEL virtual machines, then configured one to run IdM and the other to run SSO. Then we configured SSO to federate users from the IdM server. From here you can start to add SSO for Red Hat solutions as an identity provider to any web application that supports SAML 2.0 or OpenID Connect and be able to login with your IdM credentials.


About the author

Kush Gupta has been at Red Hat as an Associate Solution Architect since 2021, communicating the value of Red Hat technologies such as RHEL, Ansible and OpenShift. He also likes to explore the other parts of the portfolio including IdM and SSO. Gupta likes to read and play soccer in his free time

Read full bio
Red Hat logo LinkedInYouTubeFacebookTwitter






我们是世界领先的企业开源解决方案供应商,提供包括 Linux、云、容器和 Kubernetes。我们致力于提供经过安全强化的解决方案,从核心数据中心到网络边缘,让企业能够更轻松地跨平台和环境运营。

订阅我们的新闻稿 Red Hat Shares



© 2022 Red Hat, Inc. 京ICP备09066747号 Red Hat Summit