Red Hat Single Sign-On Administration
Red Hat Single Sign-On (RH-SSO) is an Identity and Access Management (IaM) tool. RH-SSO is the productized version of the Keycloak open source project.
RH-SSO provides single sign-on and session management, and enables users to authenticate once and then access multiple secured applications without having to re-authenticate each time.
The applications that integrate with RH-SSO delegate user's authentication to the IaM system. Thus, the applications get the benefits of the centralized tool.
Some of the benefits for applications that use RH-SSO include the following:
Central management of the store for the users and the passwords
Strong authentication mechanisms
Implementation of common features in identity management, such as user registration, recovery or change of passwords, or two-factor authentication
Customizable login pages
The applications can use the preceding IaM features without modifying any business logic.
Other chapters in this course provide additional details on the RH-SSO features.
RH-SSO is a Java application that runs on top of Red Hat JBoss Enterprise Application Platform (EAP). You can also choose to deploy the solution on Red Hat OpenShift Container Platform by using the Red Hat Single Sign-On templates for OpenShift, or the RH-SSO operator.
RH-SSO uses a relational database to store all its data. Although RH-SSO comes with an internal database for testing purposes, you must deploy an external database, such as PostgreSQL or MariaDB, for production.
The following diagram represents an RH-SSO installation and its architecture in relation to other identity systems.
Administrators configure RH-SSO by using the Admin Console or the command-line interface (CLI). One of the first administration tasks, after creating the initial administrator account, is to create realms. Because you can deploy a single RH-SSO instance for several projects, applications, and organizations, RH-SSO uses realms to isolate the configuration of these entities. Each realm has it own set of user accounts, administrator accounts, applications, and SSO configuration.
RH-SSO supports the following industry standards for implementing SSO in web environments.
- Security Assertion Markup Language (SAML)
SAML governs the interactions between the user, the service provider, usually a web application, and the IaM system. It uses XML messages for data exchange, and relies on the HTTP/HTTPS protocols. SAML is widely deployed in enterprises but is less often used for internet services. SAML is more complex to implement than the newer OAuth2 and OpenID Connect standards.
- Open Authorization 2.0 (OAuth2)
The OAuth2 standard focuses on the authorization flow between the parties. It relies on the HTTP/HTTPS protocols, and is broadly deployed for internet services and web applications. Although some application developers use OAuth2 for authenticating users, the OAuth Working Group did not design the standard for that purpose. As a consequence, some poor implementations have lead to security issues. The newer OpenID Connect standard adds that missing secured identity layer on top of OAuth2.
- OpenID Connect (OIDC)
OIDC governs the interactions between the end-user, the relying party, usually a web application, and the IaM system. It requires the use of the HTTPS protocol and relies on signature mechanisms to validate the originator of the messages. You can use OIDC for both user authentication and authorization.
Both OAuth2 and OIDC rely on JSON Web Token (JWT). JWT is a standard that defines a secure way to exchange data between parties. The data, in the JSON format, is signed to guarantee its origin and its authenticity. It is also encoded in Base64 to facilitate transmission over HTTP/HTTPS.
For example, OIDC uses the JWT standard for the ID tokens. Applications use ID tokens to confirm that users are authenticated. An ID token might include additional information that the user consents to share with the application, such as the user's name, the email address, or other personal data.
RH-SSO supports several methods for authenticating the users in a realm.
- Username and password
When you select that method of authentication, you can define a policy to enforce some password criteria, such as the number of characters per class, password expiration, or a password deny list.
- Two-factor authentication using One-Time Passwords (OTP)
For improved security, in addition to a password, you can ask your users to provide a second authentication factor. OTP can provide that second authentication method.
OTP is a password that is valid for a limited period of time. Users use the FreeOTP or Google Authenticator mobile applications to generate that password every time they log in.
- Web Authentication (WebAuthn)
WebAuthn is a World Wide Web Consortium (W3C) standard that defines mechanisms for authenticating users to applications in a web environment.
Authentication does not use passwords but instead relies on a device owned by the user. Some compatible devices include a biometric component, such as a smart phone with a fingerprint reader. Other devices, such as YubiKeys from the Yubico company, require the user to use Near-Field Communication (NFC) or to plug the device into a USB port.
- Kerberos
By using Kerberos, the credentials that the users enter to log in to their workstations are transparently reused when accessing SSO applications.
- X.509 client certificates
The user's web browser and the RH-SSO system perform a mutual X.509 certificate validation. If the client certificate is valid, then the authentication is successful. This authentication method requires that each user owns a valid X.509 client certificate.
RH-SSO also supports single sign-out, which enables users to logout once to be logged out from all the SSO applications.
RH-SSO can store user accounts in its relational database but can also connect to a Microsoft Active Directory or a Lightweight Directory Access Protocol (LDAP) system, such as Red Hat Identity Management. In other words, RH-SSO federates users from different IaM systems.
In addition, RH-SSO can act as an identity broker by relaying OIDC or SAML connections to another IaM system.
You can also configure a RH-SSO realm to enable login through social networks, such as Google, GitHub, Facebook, or Twitter.
A RH-SSO deployment comes with two web consoles.
- Account Console
By using the Account Console, users can manage their profile, change their password, or activate their two-factor authentication configuration. Realm users access the Account Console at
https://.server-url/auth/realms/realm-name/account- Admin Console
Administrators access the Admin Console to manage all aspects of the RH-SSO configuration. A super administrator who has full management rights, can delegate the management of each realm to realm administrators.
These realm administrators have a special view of the console that only grants them access to their realm. Realm administrators access their Admin Console at
https://.server-url/auth/admin/realm-name/consoleThe Admin Console for the
masterrealm is available athttps://. Super administrators use theserver-url/auth/adminmasterrealm to control all the other realms.
For administration tasks, RH-SSO also includes a command-line interface (CLI) and a Representational State Transfer Application Programming Interface (REST API).
Administrators can choose a theme to customize the RH-SSO web pages for a better integration with the organization's applications and branding. For each realm, you can customize the end-user facing pages, such as the login page or the Account Console.
Internationalization options are also available so that users can select their language for the web pages.
RH-SSO comes with a few themes, but you can create custom themes for your organization. Each theme is a directory on the RH-SSO system. To add a new theme, you create a directory and then store your theme artifacts in that directory, such as HTML templates, images, or Cascading Style Sheets (CSS).
Because RH-SSO relies on industry standards, developers can use the available libraries for their applications. Libraries for SAML, OAuth2, and OIDC exist for the most popular programming languages, such as Python, Java, JavaScript, Node.js, PHP, .NET, or Ruby.
Red Hat provides alternative libraries, or adapters, to simplify developments and for a better integration with RH-SSO. For SAML, RH-SSO comes with a Java adapter for JBoss EAP. For OAuth2 and OIDC, RH-SSO comes with Java, JavaScript, and Node.js adapters.
References
For more information about RH-SSO features, end-user authentication methods, and the Account Console, refer to the Red Hat Single Sign-On 7.6 Server Administration Guide at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_administration_guide/index
For more information about themes, refer to the Themes chapter in the Red Hat Single Sign-On 7.6 Server Developer Guide at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_developer_guide/index#themes
For more information about developing SSO applications, refer to the Red Hat Single Sign-On 7.6 Securing Applications and Services Guide at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/securing_applications_and_services_guide/index