DO313 - ch04s02

Bookmark this page

Guided Exercise: Federating Users with Red Hat Single Sign-On

Federating user identities from LDAP servers.

Outcomes

Add a LDAP user federation provider to federate IdM.
Synchronize users between RH-SSO and IdM.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start identity-federation

Procedure 4.1. Instructions

Log in as the admin user in the RH-SSO Admin Console.
1. On the workstation machine, use Firefox to navigate to the RH-SSO web UI URL at https://sso.lab.example.com:8080.
2. Click Administration Console. Log in as the admin user with redhat as the password. By default, the main page shows the Realm Settings menu for the rhtraining realm.
Verify the users for the rhtraining realm.
1. Click Manage → Users.
2. Click View all users.
3. Verify only alice is a user in the rhtraining realm.
Verify the users on IdM.
1. Open a new Firefox tab and navigate to the IdM web UI URL at https://idm.ocp4.example.com.
2. Log in as the admin user with r3dh4t12342022 as the password. By default, the main page shows the Active users menu.
3. Verify jsmith is an active user on IdM by looking at the enabled users.

Run the finance-webapp application and test the jsmith user authentication.

Open the terminal application on the workstation machine and change to the ~/DO313/labs/identity-federation/finance-webapp directory.
```
[student@workstation ~]$ cd ~/DO313/labs/identity-federation/finance-webapp
```

From the terminal, compile and run the application.

[student@workstation finance-webapp]$ mvn install && \
  java -jar target/quarkus-app/quarkus-run.jar
...output omitted...
2023-01-18 05:39:03,454 INFO  [io.quarkus] (main) finance-webapp 1.0.0-SNAPSHOT on JVM (powered by Quarkus 2.14.0.Final) started in 2.358s. Listening on: http://0.0.0.0:8080
2023-01-18 05:39:03,457 INFO  [io.quarkus] (main) Profile prod activated.
2023-01-18 05:39:03,457 INFO  [io.quarkus] (main) Installed features: [cdi, oidc, qute, reactive-routes, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]

Leave the terminal open.

Open a new Firefox private window and navigate to the finance web application URL at http://localhost:8080/finance. Click Show my access token. Try to log in with the jsmith user, with redhat as the password. The authentication fails because the jsmith user is present in IdM, but it is not present in RH-SSO.
Close the window.

Add a LDAP user federation provider to federate IdM.

Change to the RH-SSO tab on Firefox. Click Configure → User Federation. Click Add provider and select ldap.

First, fill the vendor parameter so the rest of the fields are automatically populated with the default parameters. Then, fill the user federation provider parameters just like the following table. Keep the rest of the parameters as per default.

Parameter	Value
Console Display Name	LDAP IdM
Import Users	ON
Edit Mode	READ_ONLY
Vendor	Red Hat Directory Server
UUID LDAP attribute	ipaUniqueID
Connection URL	ldap://idm.ocp4.example.com
Users DN	cn=users,cn=accounts,dc=ocp4,dc=example,dc=com
Bind DN	uid=admin,cn=users,cn=accounts,dc=ocp4,dc=example,dc=com
Bind Credential	r3dh4t12342022

Click Test connection to verify the connection to the LDAP server. Click Test authentication to verify the credentials for the admin user in the LDAP server. Then, scroll down and click Save.

Click Synchronize all users. A pop-up shows that one user is imported to RH-SSO.

Verify the jsmith user is present in the rhtraining realm.
1. Click Manage → Users.
2. Verify there are two users in the rhtraining realm: alice and jsmith.
3. Click the jsmith user. Verify that the First Name field is not correctly imported because it should be Jane.
Modify the User Federation mappers to correctly import the first name from IdM.
1. Click Configure → User Federation. Click LDAP IdM.
2. Click the Mappers tab. Click the first name mapper.
3. Modify the LDAP Attribute field to givenname, because cn stands for complete name. Click Save.
4. Update the user fields. Click Configure → User Federation. Click LDAP IdM. Click Synchronize all users. A pop-up shows that one user is updated.
5. Verify the first name for the jsmith user is correct. Click Manage → Users. Click the ID field for the jsmith user. Verify that the First Name field is correctly imported.
Test the jsmith user authentication on the finance-webapp application.
1. Open a new Firefox private window and navigate to the finance web application URL at http://localhost:8080/finance. Click Show my access token.
2. Try to log in with the jsmith user, with redhat as the password. The authentication succeeds because the jsmith user is present in the rhtraining realm in RH-SSO.
3. Close the window.
4. Change to the terminal window and close the application by pressing Ctrl+C. Change to the student user home directory.
```
[student@workstation finance-webapp]$ cd
[student@workstation ~]$
```
Try to modify the jsmith user data through the Admin Console and the Account Console.
1. In the jsmith user details screen, change the first name to Jane Q. Click Save. A pop-up shows an error because the user is read only.
2. Open a new Firefox private window and navigate to the user Account Console at https://sso.lab.example.com:8080/auth/realms/rhtraining/account. Click Sign in. Log in with the jsmith user, with redhat as the password.
3. Navigate to the Personal info menu. Change the first name to Jane Q. Click Save. A pop-up shows an error because the user is read only.
Change the LDAP User Federation edit mode to UNSYNCED. Try to modify again the jsmith user first name.
1. Change to the RH-SSO tab on Firefox. Click Configure → User Federation. Click LDAP IdM.
2. Change the Edit Mode field to UNSYNCED. Click Save.
3. Change to the Account Console private window on Firefox. Change the first name to Jane Q. Click Save. It succeeds now. Close the window.
4. Change to the RH-SSO tab on Firefox. Click Manage → Users. Click the ID field for the jsmith user. Verify that the First Name field is now Jane Q in RH-SSO.
Verify that the first name for the jsmith user is not updated on IdM.
1. Change to the IdM tab on Firefox.
2. Click the jsmith user.
3. Verify the First name field for the jsmith user is Jane.
Change the LDAP User Federation edit mode to WRITABLE to update the jsmith user first name on IdM.
1. Change to the RH-SSO tab on Firefox.
2. Click Configure → User Federation. Click LDAP IdM.
3. Change the Edit Mode field to WRITABLE. Click Save.
4. Click the Mappers tab and click first name.
5. Set the Read Only and Always Read Value From LDAP parameters to OFF. Click Save.
6. Click Configure → User Federation. Click LDAP IdM and click Synchronize all users. This action restores the first name for the jsmith user to the value on IdM.
7. Open a new Firefox private window and navigate to the user Account Console at https://sso.lab.example.com:8080/auth/realms/rhtraining/account. Click Sign in. Log in with the jsmith user, with redhat as the password.
8. Navigate to the Personal info menu. Change the first name to Jane Q. Click Save.
9. Change to the IdM tab on Firefox. In the jsmith user Settings tab, click Refresh. The First name field is updated to Jane Q.
Close all the Firefox tabs and windows.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish identity-federation

This concludes the section.

Revision: do313-7.6-bc10333

Red Hat Single Sign-On Administration

Guided Exercise: Federating Users with Red Hat Single Sign-On

Lab Controls