Red Hat Single Sign-On Administration
The three key concepts when discussing RH-SSO are realms, clients, and users.
- Users
Users most commonly represent the persons using your applications. To be able to authenticate them, users must have a set of credentials that allow them to establish the authenticity of their claim to identity. Users often have attributes such as email address, phone number, or similar.
Users are normally assigned to groups, and groups are in turn associated with various roles that symbolically represent a user's set of permissions in the application.
- Clients
Clients, often called applications, are service accounts that authenticate users with RH-SSO. They identify themselves to the authentication service by means of a client identity and can also be associated with credentials.
- Realms
Realms are collections of users, their credentials, groups, roles, role assignments, and clients. You can define any number of realms within your RH-SSO system. However, realms are isolated from each other and can only manage and authenticate the users and clients that they control.
In RH-SSO, two types of realms exist:
Master realm: RH-SSO automatically creates this realm for you in the first start. This realm contains the administrator account you create at the first login. Red Hat recommends using the Master realm only to create and manage other realms in your system.
Other realms: RH-SSO administrators can create these realms from the Master realm. In these realms you can manage the users in your organization and the clients that you need. Users own the clients in the realm.
You create a realm to provide a management space where you can create users and give them permissions to use clients. At first login, you are typically in the Master realm, the top-level realm from which you create other realms.
When deciding what realms you need, consider the kind of isolation you want to have for your users and clients. For example, you might create a realm for the employees of your company and a separate realm for your customers. Then, employees of your company can log in to internal company websites, whereas customers use the external websites offering services to them.
SectionFigure 2.3: Relationship between realms, clients, and users shows the relationship between realms, clients, and users in RH-SSO. In the Master realm, the Admin user creates and manages other realms. In the other realms, the Admin user creates users and clients. Moreover, the Admin user can provide permissions to the users in the other realms, so they can administer that realm.
Configuring your clients with RH-SSO is essentially a set of operations involving:
the choice of a realm.
making sure the users of your client are visible in that realm.
configuring a client representing your application in that realm.
Smaller tasks involving the fine details of realm, user, and client configuration are covered in more detail later in this course.
Similar to other Red Hat products that have fully featured graphical and command-line interfaces, RH-SSO administrators can use whichever tool they prefer. Red Hat recommends to use the RH-SSO Admin Console because it is easier to achieve product competency by using the graphical interface.
You can do the bulk of your administrative tasks through the RH-SSO Admin Console.
If your server is accessible from the localhost URL or the address that you configured, then you can use that URL to access the RH-SSO Admin Console.
In that case, use your web browser to navigate to the RH-SSO web UI URL (by default https://localhost:8080/auth).
Then, log in as the admin user with the password that you previously configured.
By default, the main page shows the → menu. The first time you access the Admin Console the Master realm is selected, because it is the only realm in RH-SSO. In the → menu you can configure the SSL mode and the realm keys, or control login options, among other parameters.
You can switch between realms by hovering over the Master realm name in the left menu of your screen and selecting the realm name. You can also create new realms by clicking the button in the same menu.
In the → menu, you can configure the trusted browser applications and web services in a realm, and define client specific roles.
The → menu allows you to define specific client permissions and access control.
In the → menu, you can manage the users in a realm.
The → menu displays saved events for the realm related to user accounts, events related to the admin account, and configuration options for that events.
When users log in to realms, RH-SSO maintains a user session for each user and remembers each client visited by the user within the session. Realm administrators can perform multiple actions on each user session, such as view login statistics for the realm, view active users and where they logged in, log a user out of their session, or revoke user tokens. To see all active sessions in the realm, you can click → in the left menu.
The Admin Console provides important information for some of the menu items.
To display it, hover over the question mark symbol (?) when it is shown.
You can create new realms from the Master realm.
To do this you must first log in as the admin user in the Admin Console.
Then, hover over the Master realm name in the left menu of your screen and click the button.
In the configuration page, you can type the name for the new realm and click . You can also import a realm from an existing JSON file.
After you create or import a realm, the main page shows the → menu. Then, the different tabs allow you to configure the realm parameters, as for example the login options for the users in the realm, the cryptographic key pairs for authentication, or the web UI appearance.
You can export or import a realm by using the RH-SSO Admin Console. Exporting a realm by using the RH-SSO Admin Console enables you to export the realm configuration, the groups, the roles, and the clients in the realm. However, you cannot export the realm users by using the RH-SSO Admin Console.
You can also export or import your entire database by using RH-SSO, including the users. This feature is useful to migrate your whole RH-SSO database from one environment to another, or migrate to a different database provider. To do so, you have to export or import the realm at server boot by using system properties.
Note
Exporting and importing the entire RH-SSO database is out of the scope of this course. If you need more information about this feature, then refer to https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_administration_guide/index#assembly-exporting-importing_server_administration_guide
To export a realm, first log in as the admin user in the RH-SSO Admin Console.
Then, click the → menu.
Use the switch buttons to include realm groups, roles, and clients in the export file.
Then, click to export your realm data in a JSON file.
Warning
RH-SSO masks attributes containing secrets or private information in the export file. Note that the realm files exported by using the Admin Console are not suitable for backups or data transfer between servers without modifications. Only boot-time exports are suitable for backups or data transfer between servers.
The following JSON file is an example of a realm exported by using the RH-SSO Admin Console.
{
"id": "30994549-9ada-4d7e-a8df-96acda9faf55", 
"realm": "rhtraining",
...output omitted...
"roles": { 
"realm": [
...output omitted...
{
"id": "2a8717b1-dd28-482b-8ef0-96530de8d701",
"name": "offline_access",
"description": "${role_offline-access}",
"composite": false,
"clientRole": false,
"containerId": "30994549-9ada-4d7e-a8df-96acda9faf55",
"attributes": {}
},
...output omitted...
],
"client": {
"realm-management": [
{
"id": "4a4a1b2f-e47f-454d-aeb0-cc57aa72948e",
"name": "impersonation",
"description": "${role_impersonation}",
"composite": false,
"clientRole": true,
"containerId": "df86a657-7005-43a8-b585-8ae7c36c887a",
"attributes": {}
},
...output omitted...
],
...output omitted...
}
},
"groups": [], 
...output omitted...
"clients": [ 
{
"id": "8ce79755-3c7c-483c-88e6-f2106cf7aab2",
"clientId": "account",
"name": "${client_account}",
"rootUrl": "${authBaseUrl}",
"baseUrl": "/realms/rhtraining/account/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"/realms/rhtraining/account/*"
],
...output omitted...
},
...output omitted...
],
...output omitted...
}
| Realm configuration parameters such as the realm ID and name. |
| Exported roles, including realm roles and client roles. |
| Exported groups in the realm and their configuration parameters. |
| The list of clients in the realm and their configuration parameters. |
To import a realm to RH-SSO, first log in as the admin user in the RH-SSO Admin Console.
Then, click the → menu.
Click and select the realm JSON file.
After RH-SSO loads the file, use the switch buttons to configure the import of realm groups, roles, and clients.
You can also select the RH-SSO behavior if an imported resource exists in the database.
The three options are:
Fail: If a resource exists in the database, then RH-SSO stops importing the realm.Skip: If a resource exists in the database, then RH-SSO skips importing that resource and continues importing the realm.Overwrite: Removes the existing realm and imports the realm with the data from the imported file.
Finally, click to import the realm to RH-SSO.
If you import a realm by using the RH-SSO, then you can overwrite existing resources. Thus, use this feature with caution, especially on a production server. Note that JSON files obtained by exporting realms from the RH-SSO Admin Console are not appropriate for directly importing data because they contain invalid values for secrets. However, you can manually modify the secret values.
Furthermore, you can use the exported JSON files to know all the fields, and their values that the RH-SSO resources use.
You can use the fields of the resources to configure them by using automated tools such as the kcadm.sh CLI tool, the REST API, or the YAML files used by the RH-SSO operator.
When you want to interact with applications accessed by people, and those persons require to be logged in, then you need to create a user. The user entity has:
Information: Data to identify a user, for example, name, surname, or email address.
Credentials: A way to verify the user identity, for example, a password or a one-time password (OTP).
Attributes: Extended user information required to use the applications, provided as key-value pairs.
You can create users internally in the realm by saving them in the database, or you can import them from an external identity provider. Other way to manage users is to federate an external user database, such as Lightweight Directory Access Protocol (LDAP) or Identity Management (IdM). This section only covers how to create users by saving them in the RH-SSO local database. Other ways to manage users are covered in more detail later in this course.
To create a user in the realm, click → . Then, click . The configuration screen appears, where you can enter the details for the new user. Note that the username is the only required field. Click to create the user.
After you create the user, the user configuration page appears. In the tab you can apply limited types of credentials for the users, albeit the users should be responsible for managing the type of credentials they are going to use.
In the tab, you can verify the clients that the user is logged into. Then, you can log out the user from a specific client or log out from all the client sessions.
Clients are entities that can request authentication of a user. Clients come in two forms. The first type of client is an application that wants to interact with SSO. These clients just want RH-SSO to provide security for them. The other type of client is one that requests an access token so that it can invoke other services on behalf of the authenticated user.
There are two kind of clients with standard protocol for connections: the OpenID Connect (OIDC) client and the Security Assertion Markup Language (SAML). To create a client, in the → menu click . The configuration page appears, where you must provide a client ID, and select the client protocol between OIDC and SAML. Click to create the client. Configuration parameters for clients are covered in more detail later in this course.
References
For more information about creating and managing realms, users, and clients through the RH-SSO Admin Console, refer to the Server Administration Guide documentation at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_administration_guide/index