Red Hat Single Sign-On Administration

Bookmark this page
P123456
PreviousNext

Guided Exercise: Customize authentication with Red Hat Single Sign-On

  • Customize Red Hat Single Sign-On to enhance authentication security in the realm.

Outcomes

  • Configure authentication options.

  • Configure password policies for the users.

  • Configure required actions for log in.

  • Manage SSO sessions.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command ensures that the RH-SSO realm is configured.

[student@workstation ~]$ lab start auth-customauth

Procedure 3.3. Instructions

  1. Log in as the admin user in the RH-SSO Admin Console.

    1. On the workstation machine, use Firefox to navigate to the RH-SSO web UI URL at https://sso.lab.example.com:8080.

    2. Click Administration Console.

      Log in as the admin user with redhat as the password. By default, the main page shows the Realm Settings menu for the rhtraining realm.

  2. Activate user registration in the rhtraining realm.

    1. From within the ConfigureRealm Settings menu, click Login.

    2. Set the User registration button to ON, and then click Save.

      Figure 3.29: User registration field activated.

  3. Log in to finance-webapp and register a new user.

    1. Open a terminal on the workstation machine and change to the ~/DO313/labs/auth-customauth/finance-webapp directory.

      [student@workstation ~]$ cd ~/DO313/labs/auth-customauth/finance-webapp

    2. From the terminal, compile and run the finance-webapp application.

      [student@workstation finance-webapp]$ mvn quarkus:dev
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.example:finance-webapp >---------------------
[INFO] Building finance-webapp 1.0.0-SNAPSHOT
...output omitted...
2023-01-11 03:24:41,361 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
2023-01-11 03:24:41,362 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, oidc, oidc-client, oidc-token-propagation, qute, reactive-routes, rest-client, rest-client-jackson, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]


Tests paused
Press [r] to resume testing, [o] Toggle test output, [:] for the terminal, [h] for more options>

      Leave the terminal open.

    3. Open a new Firefox window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token.

    4. In the rhtraining realm login page click Register.

    5. Register the user based on the following criteria.

      FieldValue
      First name Alice
      Last name Liddle
      Email alice@example.com
      Username alice
      Password alice
      Confirm Password alice

      Notice that you are using the same word for the user and the password.

      Click Register.

      Leave the Firefox window open.

  4. Add password policies to the rhtraining realm.

    1. In the Firefox window with the RH-SSO Admin Console, click ConfigureAuthentication.

      Then, click Password Policy.

    2. In the Add policy dropdown button, select the following list of password policies. You must add the policies one by one.

      • Not Email

      • Uppercase Characters

      • Digits

      • Minimum Length

      Figure 3.30: Password policies.

      Notice that the Digits, the Uppercase Characters, and the Minimum Length password policies have a numeric parameter.

      After adding all the password policies, click Save.

  5. Register a new user from the finance-webapp client.

    1. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token.

    2. In the rhtraining realm login page click Register.

    3. Register the user based on the following criteria.

      FieldValue
      First name Robert
      Last name Liddle
      Email bob@example.com
      Username bob
      Password bob
      Confirm Password bob

      Click Register. The RH-SSO login page does not allow that password in the preceding example.

      • Bob

      • BobBobBob

      • BobBobBob1

      Only the BobBobBob1 password is accepted.

  6. Force the alice user to change the password.

    The password policies only apply to new users. You can force a user to change the password by configuring a required action just for that user.

    1. In the Firefox window with the RH-SSO Admin Console, click ManageUsers.

      Click View all users, and then, click the ID field of the alice user.

    2. In the Required User Actions field, select the Update Password option.

      Then, click Save

    3. Open a new Chromium Web Browser incognito window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token. Then, log in as the alice user with alice as the password. The RH-SSO login page asks for a new password. Try to change the password with the following list:

      • Alice

      • AliceAlice

      • AliceAlice1

      Only the AliceAlice1 password is accepted.

  7. Terminate all users sessions.

    1. In the Firefox window with the RH-SSO Admin Console, click ManageSessions.

      There are two active sessions from the finance-webapp client application.

    2. Click finance-webapp.

    3. Click Show Sessions.

      Hover over the Show Sessions button and read the warning message.

      Figure 3.31: SSO sessions created from the finance application.

    4. Close all private Firefox windows, and the Chromium Web Browser window.

      Leave open only the RH-SSO Admin Console.

    5. Open a new Firefox window, and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token. Then, log in as the bob user with BobBobBob1 as the password.

    6. In the Firefox window with the RH-SSO Admin Console, navigate back to ManageSessions, and click Logout all.

    7. In the Firefox window with the finance web application, click again Show my access token.

      The access token has a lifespan of one minute. After one minute, the Show my access token link asks to log in again.

  8. (Optional) Force users to configure a One Time Password (OTP).

    If you have a smart phone that can scan QR codes, then continue with this step. Your smart phone needs a Google Authenticator, or FreeOTP mobile application.

    1. In the Firefox window with the RH-SSO Admin Console, click configureAuthentication, and click Required actions.

    2. Check Configure OTP in the Default action field.

      Figure 3.32: Configure OTP as a default action.

    3. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.

      Click Show my access token.

    4. In the rhtraining realm login page click Register.

    5. Register the user based on the following criteria.

      FieldValue
      First name John
      Last name Doe
      Email john@example.com
      Username johndoe
      Password DoeDoeDoe1
      Confirm Password DoeDoeDoe1

      Click Register.

    6. Scan the QR code by using the FreeOTP or Google Authenticator applications.

      Use the FreeOTP or Google Authenticator applications to scan the QR and follow the instructions on the screen to log in with the johndoe user.

      Figure 3.33: QR code to configure OTP.

  9. Close all the applications running in terminals by pressing Ctrl+C.

  10. Close all the browser windows.

  11. In a terminal, change to the /home/student directory.

    [student@workstation finance-webapp]$ cd ~
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-customauth

This concludes the section.

PreviousNext
Revision: do313-7.6-bc10333