DO313 - ch02s06

Bookmark this page

Guided Exercise: Red Hat Single Sign-On Admin CLI

Install and configure the Red Hat Single Sign-On admin CLI.

Outcomes

Log in to the RH-SSO Admin CLI.
Create realms and users.
Assign client roles to users.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start install-kccli

Procedure 2.3. Instructions

On workstation, log in to the sso system as the rhsso user.

[student@workstation ~]$ ssh rhsso@sso
...output omitted...
[rhsso@sso ~]$

Add the RH-SSO directory to your PATH environment variable so you can use the RH-SSO Admin CLI from any location on your file system.
```
[rhsso@sso ~]$ export PATH=$PATH:/opt/rh-sso-7.6/bin
```

[rhsso@sso ~]$ kcadm.sh config credentials \
  --server https://sso.lab.example.com:8080/auth --realm master --user admin
Logging into https://sso.lab.example.com:8080/auth as user admin of realm master
Enter password: redhat

Use the Admin CLI to get all the realms displaying only their name.

[rhsso@sso ~]$ kcadm.sh get realms --fields realm
[ {
  "realm" : "master"
}, {
  "realm" : "rhtraining"
} ]

List the users in the rhtraining realm. The ID for the user might differ in your system.

[rhsso@sso ~]$ kcadm.sh get users -r rhtraining
[ {
  "id" : "96c41b1e-4368-4181-af46-efa2e7ba4f1d",
  "username" : "alice",
  "enabled" : true,
  "totp" : false,
  "emailVerified" : false,
  "firstName" : "Alice",
  "lastName" : "Liddel",
  "email" : "alice@keycloak.org",
  "disableableCredentialTypes" : [ ],
  "requiredActions" : [ ],
  "notBefore" : 0,
  "access" : {
    "manageGroupMembership" : true,
    "view" : true,
    "mapRoles" : true,
    "impersonate" : true,
    "manage" : true
  }
} ]

Create the demo realm.

[rhsso@sso ~]$ kcadm.sh create realms -s realm=demo -s enabled=true
Created new realm with id 'demo'

Create the johndoe user in the demo realm. The ID for the user might differ in your system.

[rhsso@sso ~]$ kcadm.sh create users -r demo -s username=johndoe -s enabled=true
Created new user with id 'f4a7ba22-c591-4baf-b053-645a5bdd0687'

Update the johndoe user email. Use the user ID from the previous step.

[rhsso@sso ~]$ kcadm.sh update users/f4a7ba22-c591-4baf-b053-645a5bdd0687 \
  -r demo -s email=johndoe@example.com

Set the password for the jonndoe user.

[rhsso@sso ~]$ kcadm.sh set-password -r demo --username johndoe \
  --new-password redhat

Verify that the johndoe user can start an authenticated session to the demo realm, but cannot retrieve the realm information or list the users in the realm.
1. Log in to the RH-SSO Admin CLI as the johndoe user in the demo realm.
```
[rhsso@sso ~]$ kcadm.sh config credentials \
  --server https://sso.lab.example.com:8080/auth --realm demo --user johndoe
Logging into https://sso.lab.example.com:8080/auth as user johndoe of realm demo
Enter password: redhat
```
2. Retrieve the demo realm information. This command fails because the johndoe user does not have the appropriate permissions.
```
[rhsso@sso ~]$ kcadm.sh get realms/demo
null [unknown_error]
```
3. List the users in the demo realm. This command fails because the johndoe user does not have the appropriate permissions.
```
[rhsso@sso ~]$ kcadm.sh get users -r demo
null [unknown_error]
```

Add the view-realm and view-users roles from the realm-management client to the johndoe user. Try to retrieve the realm information and list the users in the realm. These operations should succeed now, because you are assigning the user permissions to view the realm information and list the users in the realm.

Log in to the RH-SSO Admin CLI as the admin user in the master realm. Add the view-realm and view-users roles from the realm-management client to the johndoe user.

[rhsso@sso ~]$ kcadm.sh config credentials \
  --server https://sso.lab.example.com:8080/auth --realm master --user admin
Logging into https://sso.lab.example.com:8080/auth as user admin of realm master
Enter password: redhat
[rhsso@sso ~]$ kcadm.sh add-roles -r demo --uusername johndoe \
  --cclientid realm-management --rolename view-realm --rolename view-users

Log in to the RH-SSO Admin CLI as the johndoe user in the demo realm. Retrieve the demo realm information and list the users in the realm. The IDs and timestamps might differ in your system.

[rhsso@sso ~]$ kcadm.sh config credentials \
  --server https://sso.lab.example.com:8080/auth --realm demo --user johndoe
Logging into https://sso.lab.example.com:8080/auth as user johndoe of realm demo
Enter password: redhat
[rhsso@sso ~]$ kcadm.sh get realms/demo
{
  "id" : "aaa4f976-c6ca-4c38-9810-6ff39feece16",
  "realm" : "demo",
  "notBefore" : 0,
  "defaultSignatureAlgorithm" : "RS256",
  "revokeRefreshToken" : false,
  "refreshTokenMaxReuse" : 0,
  "accessTokenLifespan" : 300,
  "accessTokenLifespanForImplicitFlow" : 900,
...output omitted...
[rhsso@sso ~]$ kcadm.sh get users -r demo
[ {
  "id" : "f4a7ba22-c591-4baf-b053-645a5bdd0687",
  "createdTimestamp" : 1671104982423,
  "username" : "johndoe",
  "enabled" : true,
  "totp" : false,
  "emailVerified" : false,
  "email" : "johndoe@example.com",
  "disableableCredentialTypes" : [ ],
  "requiredActions" : [ ],
  "notBefore" : 0,
  "access" : {
    "manageGroupMembership" : false,
    "view" : true,
    "mapRoles" : false,
    "impersonate" : false,
    "manage" : false
  }
} ]

Return to the workstation system as the student user.

[rhsso@sso ~]$ exit
logout
Connection to sso closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish install-kccli

This concludes the section.

Revision: do313-7.6-bc10333

Red Hat Single Sign-On Administration

Guided Exercise: Red Hat Single Sign-On Admin CLI

Lab Controls