Red Hat Single Sign-On Administration
- Section Authenticate Users with Red Hat Single Sign-On
- Guided Exercise: Authenticate Users with Red Hat Single Sign-On
- Authorize Users with Red Hat Single Sign-On
- Guided Exercise: Authorize Users with Red Hat Single Sign-On
- Customize authentication with Red Hat Single Sign-On
- Guided Exercise: Customize authentication with Red Hat Single Sign-On
- Lab: Authentication and Authorization
- Summary
Abstract
| Goal |
Configure authentication and authorization for applications. |
| Objectives |
|
| Sections |
|
| Lab |
|
Configure Red Hat Single Sign-On to authenticate users and applications using the OpenID Connect (OIDC) protocol
Red Hat Single Sign-On (RH-SSO) uses the three main sets of standards related to access control in web environments: Security Assertion Markup Language 2 (SAML), Open Authorization 2 (OAuth2), and OpenID Connect (OIDC).
OAuth2 is a set of standards designed for delegating the authorization of a user accessing a protected resource. The application serving the protected resource delegates the authorization to a third-party server. The user gains access without revealing their credentials to the application serving the protected resource.
For example, a user with an account in the Google identity provider can allow the OpenStreetMap web page access to some data in that identity provider. When the user logs in to the OpenStreetMap web page, it shows several third-party authorization providers.
 |
If the user chooses Google as a third party provider, then the browser redirects the user to the Google login page. Google asks for the credentials, and then asks if the user consents to providing identity information to OpenStreetMap. If the answer is positive, then the Google authentication provider sends the authorization information to the OpenStreetMap web page. Then, the OpenStreetMap web page grants the user access to the protected resources in the web page. The OpenStreetMap page does not store, nor even know the username and password, but the user gets the authorization.
The OAuth2 set of standards does not define any format for the exchanged information. Furthermore, OAuth2 only delegates the authorization, but not the authentication. OAuth2 was created to allow external public applications access to resources in a protected domain.
OIDC extends the OAuth2 standards, and adds the authentication layer and the SSO session management. OIDC also defines the formats for the exchanged information by using the JavaScript Object Notation (JSON), and the JSON Web Token (JWT). OAuth2 and OIDC belong to the same family of web standards for access control.
The SAML standard is older than OIDC, but it is still present in the enterprise landscape. SAML is an XML-based standard used for exchanging access control information. Thus, SAML defines strictly the format of the exchanged information. The SAML format is called the SAML assertion. RH-SSO can use both standards in the same realm to authenticate different clients.
- Common concepts
These three standards manage similar concepts with different names. The following table describes common concepts to all SSO standards:
Table 3.1. Concepts from the three SSO standards.
| OAuth2 | OIDC | SAML | Description |
|---|---|---|---|
| Resource owner | End user | Principal or subject | The user that tries to access |
| Client | Relying Party or Service Provider | Service Provider | A service, or application, which hosts protected resources. RH-SSO names it "client" |
| Authorization server | OpenID provider or Identity provider (IdP) | Identity provider (IdP) | The server that issues access to the client. The role of RH-SSO server |
| Token (no format) | JWT Token | Assertion (XML in SOAP) | Representation of information containing access control data |
| Grant | Flow | Flow or Profile | The process of requests and responses used by the SSO system to authenticate or authorize a user |
- SAML versus OIDC
Both SAML and OIDC standards address the same concerns about access control to enterprise services, public services or mixed services. Both SAML and OIDC define one or more processes to delegate authorization (OAuth2), or authentication and authorization (OIDC and SAML) to one or more third-party identity providers.
The SAML standard was established earlier than OAuth2 and OIDC, in 2005. Thus, SAML is widely present in enterprise environments, and there are an elevated number of homemade applications, and software products that support out-of-the-box integration with a SAML identity provider.
However, OIDC finalized its definition more recently, in 2014. OIDC is natively designed for working with web architectures, and with different devices, such as smartphones, or smart televisions. SAML has an issue with single-page applications (SPA), or native applications, running in devices with limited user interfaces or limited computing power: SAML needs the private key to sign each request to the SAML IdP. If somebody compromises the device, then the attacker can impersonate the user to perform HTTP requests by signing in with that key.
OIDC is lighter than SAML, because the JSON format of requests and responses defines much smaller messages between the parties of the SSO system.
OAuth2, and therefore OIDC, make it easier to federate more than one identity provider in the same RH-SSO realm.
Furthermore, SAML has a higher learning curve than OAuth2 and OIDC because its flows and profiles are more complex than OIDC.
Unless you have previously existing SAML applications, Red Hat recommends you choose OIDC over SAML for your SSO architectures.
- OpenID Connect Tokens
OIDC uses a family of standards called JavaScript Object Signing and Encryption (JOSE). The main standard in JOSE is JSON Web Token (JWT, RFC 7519). The JWT token is a standard format for representing information in a non-opaque piece of text data. Some of JWT advantages are the following:
Simplicity to parse in many programming languages.
Easy to propagate by networks.
Capability of validating the integrity of the message without calling an external validator, or using computing intensive validations.
The following is an example of a JWT token:
 |
The JWT token is formed by three parts separated by the period symbol: the headers, the payload, and the hash signature. Each part is encoded in Base64.
If we decode the token with Base64 we obtain the following JWT:
{
"alg":"RS256",
"typ" : "JWT",
"kid" : "FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"
}
{
"exp":1671702090,
"iat":1671702030,
"auth_time":1671702030,
"jti":"8ac4a249-37df-4733-826a-a2cdde581402",
"iss":"https://sso.lab.example.com:8080/auth/realms/rhtraining",
"sub":"6672d52f-d722-46ea-8a9c-4e190bd96749",
"typ":"Bearer",
"azp":"finance-webapp",
"session_state":"58db041e-90f3-4e98-8de7-c752b3b7d123",
"acr":"1",
"allowed-origins":
["http://localhost:8080"],
"realm_access":
{"roles":
["finance-admin","finance-user","marketing-user"]
},
"scope":"openid email profile",
"sid":"58db041e-90f3-4e98-8de7-c752b3b7d123",
"email_verified":false,
"name":"Alice Liddel",
"preferred_username":"alice",
"given_name":"Alice",
"family_name":"Liddel",
"email":"alice@keycloak.org"
}
...signature omitted...The third part of the token, the signature, is composed by the concatenation of the encoded header, the encoded payload, and the result of applying a signing algorithm.
In RH-SSO the default signing algorithm for JWT tokens is RS256.
This default algorithm can be customized at the realm level from Configure → Realm Settings in the RH-SSO Admin Console, or at a client level, from Configure → Clients, under the Fine Grain OpenID Connect Configuration section.
Each entry in the JSON data is called a claim.
The OIDC standard defines four types of tokens:
ID token: Required to be JWT in OIDC. An ID token is a result of a correct authentication flow. The ID token represents the user identity, and it is not emitted for a concrete client, or service provider. Thus, if an attacker steals the ID token, then he can obtain access to all the protected resources of the user. Your developers should not use the ID token to call other protected services.
Access or Bearer token: Defined in the OAuth2 specifications. RH-SSO uses the JWT format for the access token. An access token is a result of a delegated authorization flow. The access token represents an authorization for accessing a specific protected resource. Your developers should use the access tokens to call other protected services.
Refresh token: All tokens have an expiration, which is reflected in the
expclaim. In RH-SSO, ID tokens and access tokens have a lifespan of one minute. This default lifespan can be customized in the RH-SSO Admin Console at the realm level, from the Configure → Realm Settings, in the Tokens tab; or at a client level, from the Configure → Clients, under theAdvanced Settingssection. OIDC defines the mechanism to renew an ID token or an access token when it is expired. This refresh flow uses the refresh token to ask for a new ID or access token to the identity provider.Offline token: A special category of refresh tokens, with the capability of requesting an access token even when there is no active session. Offline tokens are stored in the persistent storage of the web browser, and in the RH-SSO database.
Note
To see the meaning of each token claim in a ID token, refer to section 4 of the JWT specification at https://www.rfc-editor.org/rfc/rfc7519#section-4
To see the meaning of each token claim in an access token, refer to section 4 of the RFC 8693 OAuth 2.0 Token Exchange specification at https://www.rfc-editor.org/rfc/rfc8693#name-json-web-token-claims-and-i
- Web SSO endpoints
Each standard defines a collection of endpoints in the identity server. These endpoints let you send a request to the identity server to start different processes or flows related to authentication and authorization. The OIDC standard, added endpoints for self-registration of new clients and users, an endpoint for requesting user info, and endpoints for discovering the configuration of the identity provider.
Note
You can see the OIDC endpoints at https://
RH-SSO-server/auth/realms/realm_name/.well-known/openid-configuration
You can see the SAML configuration at https://
RH-SSO-server/auth/realms/realm_name/protocol/saml/descriptor
- OIDC Authentication and Authorization Flows
The authentication and authorization flows define the processes used to obtain the tokens when the user is authenticated. OAuth2 define many authorization flows, known as grants. OIDC defines other different flows, that use and extend the OAuth2 grants. Each flow defines which requests and parameters your developers need to use in every step of the authentication or authorization process, by using the web endpoints of the OIDC standard.
In RH-SSO, you configure which flows you allow in each client configuration within the Admin Console, from Configure → Clients, in the Settings tab.
In addition to the flows, each client can be of three types:
The
confidentialclient accesses the identity server with its own secret to initiate the login protocol. The browser does not receive the ID token.The
publicclient accesses the identity server with the user credentials to initiate the login protocol. The browser receives the ID token.The
Bearer onlyclient never starts a login protocol, and can only be accessed with an access token.
From the application perspective, the developer chooses the flow and client type, by configuring the OIDC library, or RH-SSO adapter, that the application uses.
This lecture describes only the recommended flows, and the flows that you must use depending on the type of client or application. To learn more about all the OIDC flows supported by RH-SSO, refer to the OIDC auth flows section of the Server Configuration Guide at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_administration_guide/index#con-oidc-auth-flows_server_administration_guide
The recommended default flow is the OIDC Authorization Code Flow with confidential clients. The following diagram is an UML sequence diagram depicting the flow:
The user navigates to a protected resource in a service provider.
The service provider redirects the user browser to the RH-SSO identity provider, by using its authentication endpoint with the
scope=openidparameter.
The RH-SSO identity provider verifies if an SSO session exists. If it does not exist, then it asks for user credentials
The user sends the credentials, and the identity provider authenticates the user. Then, it sends a temporary authentication code to the service provider.
The service provider requests, from the identity provider, all the user tokens, by using the temporary code.
The service provider identifies the user by using the ID token, authorizes the user by using the access token, and creates an HTTP session.
The user, if allowed, accesses the protected resource.
The hybrid flow is different from the authorization code flow in the step that returns the temporary code. The hybrid flow returns also the ID token in this step.
The client credentials flow, or more specifically the client credentials grant from OAuth2, is called Service Account in RH-SSO. It is used when the application client accesses the protected resource on behalf of itself.
The device flow, or more specifically the device authorization grant from OAuth2, is targeted to devices with very limited user interface, such as televisions, or embedded systems. It uses a device code, a user code, and a verification URL pointing to the identity server. The device flow uses a secondary browser on the same device, or in a different device.
As an administrator of your RH-SSO realms, you must know the most secure way of configuring the authentication flows for the applications that are going to request access to your identity provider.
It is a good practice to disable the flows and grants that are not going to be used, such as a direct access grant, or the implicit flow.
- Server side web application
The traditional web applications use the authorization code flow to obtain an ID token. Then, the applications create an authenticated HTTP session by using that ID token.
Use the authorization code flow with confidential type clients.
- Single-page applications (SPA)
The flow on an SPA depends on the architecture of the application.
If the SPA makes requests to a dedicated API in the same domain name, then it can be treated as a regular server side web application.
If the SPA makes requests to an API in a different domain, then the recommended architecture is to implement an intermediary API to call the external API. If the SPA makes direct requests to the external API, then you can use the authorization code flow with a public client. Thus, the user browser receives the tokens that represent a security risk. To mitigate this risk, Red Hat recommends you use the authorization code flow with public client, plus the Proof Key for Code Exchange (PKCE) extension to the OAuth2 standards. PKCE associates the temporary authorization code with a second verification code, which is stored in the user browser, or device. If somebody stole the temporary code, then the attacker can not use it because only the user browser has the second code.
- REST APIs and services
This type can include services that use gRPC, or WebSockets. REST APIs and services receive requests only with the access or bearer token. In a microservices architecture your developers need to propagate the access token between services invocation.
Figure 3.3: Requests to services propagating the access token.Use the authorization code flow with bearer-only type clients, unless you need the service acting on behalf of itself. Then, use the client credentials grant, called service account in RH-SSO.
Every application that follows the OIDC or SAML standards can control the access by integrating with the RH-SSO realm.
RH-SSO provides adapters to different programming languages to facilitate the applications integration with the RH-SSO identity server. The RH-SSO adapters are software libraries that the application developers can easily install and use in their applications.
The following are supported SAML adapters by RH-SSO:
The Red Hat JBoss Enterprise Application Platform (JBoss EAP) adapters, for securing Java WAR applications running in JBoss EAP.
The servlet filter adapter, for securing Java WAR applications running in other Java application servers.
The
mod_auth_mellonSAML module, for the Apache HTTPD server.
The following are the supported OIDC adapters used by RH-SSO:
The Java adapters, which includes the JBoss EAP, the servlet filter adapter, and the Spring Boot adapter.
The JavaScript adapters, which includes the pure JavaScript adapter for client-side applications, and the Node.js adapter, for server-side applications.
Note
To see the complete information about integrating applications with RH-SSO, refer the developers to the Securing Applications and Services Guide at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/securing_applications_and_services_guide
However, most of the programming frameworks provide their own implementation of the SSO standards. Red Hat recommends you use the existing OIDC or SAML implementations in the different frameworks over the RH-SSO adapters. For example, your developers must use Spring Security over the RH-SSO SpringBoot adapter when using the SpringBoot framework.
References
For more information about Red Hat Single Sign-On SSO protocols, refer to the Red Hat Single Sign-On 7.6 Server Configuration Guide documentation at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/html-single/server_administration_guide/index#sso_protocols
For more information about SAML and its issues with single-page applications (SPA), refer to https://www.identityserver.com/articles/why-you-wouldn-t-use-saml-in-a-spa-and-mobile-app
For more information about PKCE extensions refer to the Support for PKCE (Proof Key for Code Exchange) in RH-SSO from Red Hat Knowledgebase at https://access.redhat.com/articles/5266931
Lab Controls
Click CREATE to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
If you DELETE your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.