Red Hat Single Sign-On Administration

Procedure 4.3. Instructions

1. Run the finance-webapp application and test the jsmith user authentication. The password for the jsmith user is redhat.

   You can find the application in the ~/DO313/labs/identity-review/finance-webapp directory. Run the application by using the mvn install && java -jar target/quarkus-app/quarkus-run.jar command. The finance web application URL is http://localhost:8080/finance.

   The user authentication fails because the user is present in IdM but it is not present in RH-SSO.

   1. Open the terminal application on the workstation machine and change to the ~/DO313/labs/identity-review/finance-webapp directory.

      [student@workstation ~]$ cd ~/DO313/labs/identity-review/finance-webapp

   2. From the terminal, compile and run the application.

      [student@workstation finance-webapp]$ mvn install && \
        java -jar target/quarkus-app/quarkus-run.jar
      ...output omitted...
      2023-01-18 05:39:03,454 INFO  [io.quarkus] (main) finance-webapp 1.0.0-SNAPSHOT on JVM (powered by Quarkus 2.14.0.Final) started in 2.358s. Listening on: http://0.0.0.0:8080
      2023-01-18 05:39:03,457 INFO  [io.quarkus] (main) Profile prod activated.
      2023-01-18 05:39:03,457 INFO  [io.quarkus] (main) Installed features: [cdi, oidc, qute, reactive-routes, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]

      Leave the terminal open.

   3. Open a Firefox tab and navigate to the finance web application URL at http://localhost:8080/finance. Click Show my access token. Try to log in with the jsmith user, with redhat as the password. The authentication fails because the jsmith user is present in IdM, but it is not present in RH-SSO.

   4. Close the tab.

   Hide Solution

2. Add a LDAP user federation provider to federate IdM. The RH-SSO web UI URL is https://sso.lab.example.com:8080 and you can log in as the admin user with redhat as the password.

   Create the LDAP IdM user federation provider with the following parameters. RH-SSO should be able to modify the user parameters and synchronize them to IdM.

   Parameter	Value
   Console Display Name	LDAP IdM
   Edit Mode	WRITABLE
   Vendor	Red Hat Directory Server
   UUID LDAP attribute	ipaUniqueID
   Connection URL	ldap://idm.ocp4.example.com
   Users DN	cn=users,cn=accounts,dc=ocp4,dc=example,dc=com
   Bind DN	uid=admin,cn=users,cn=accounts,dc=ocp4,dc=example,dc=com
   Bind Credential	r3dh4t12342022

   Test the jsmith user authentication in the finance-webapp application. It should succeed now.

   1. On the workstation machine, use Firefox to navigate to the RH-SSO web UI URL at https://sso.lab.example.com:8080.

   2. Click Administration Console. Log in as the admin user with redhat as the password. By default, the main page shows the Realm Settings menu for the rhtraining realm.

   3. Click Configure → User Federation. Click Add provider…​ and select ldap.

   4. Complete the user federation provider parameters just like the previous table. Scroll down and then click Save.

   5. Click Synchronize all users. A pop-up shows that one user is imported to RH-SSO.

   6. Open a new Firefox private window and navigate to the finance web application URL at http://localhost:8080/finance. Click Show my access token. Try to log in as the jsmith user with redhat as the password. The authentication must succeed.

   7. Close the tab.

   Hide Solution

3. In RH-SSO, verify that the First Name field for the user is not correctly imported because it should be Jane instead of Jane Smith.

   Modify the User Federation mappers to correctly import the first name from IdM. The IdM web UI URL is https://idm.ocp4.example.com and you can log in as the admin user with r3dh4t12342022 as the password.

   1. Open a new Firefox tab and navigate to the IdM web UI URL at https://idm.ocp4.example.com.

   2. Log in as the admin user with r3dh4t12342022 as the password. By default, the main page shows the Active users menu.

   3. Verify that jsmith is an active user on IdM by looking at the enabled users.

   4. Verify that the first name for the jsmith user is Jane.

   5. Change to the RH-SSO Firefox tab.

   6. Click Manage → Users. Click View all users.

   7. Click the jsmith user ID. Verify that the First Name field is not correctly imported because it must be Jane.

   8. Modify the User Federation mappers to correctly import the first name from IdM. Click Configure → User Federation. Click LDAP IdM.

   9. Click the Mappers tab. Click the first name mapper.

   10. Modify the LDAP Attribute field to givenname. Click Save.

   11. Update the user fields. Click Configure → User Federation. Click LDAP IdM. Click Synchronize all users. A pop-up shows that one user is updated.

   12. Verify the first name for the jsmith user is correct. Click Manage → Users. Click the ID field for the jsmith user. Verify that the First Name field is correctly imported.

   Hide Solution

4. In RH-SSO, update the jsmith user first name to Jane Q. Update the email to jsmith@redhat.com. Verify that both fields update in IdM.

   1. In the jsmith user screen from Manage → Users, change the first name to Jane Q. Update the Email field to jsmith@redhat.com. Click Save.

   2. Change to the IdM tab on Firefox. In the jsmith user Settings tab, click Refresh. The First name and email fields must be updated.

   3. Close the IdM tab.

   Hide Solution

5. Create the Red Hat OpenShift identity provider in RH-SSO, with OpenShift as the display name. To do so, create the rhsso-identity project on Red Hat OpenShift and a OAuthClient custom resource. The name for the OAuthClient custom resource must be ocp-identity and the secret mysecret. You can find the ocp-identity.yaml file that contains the definition of a OAuthClient custom resource in the ~/DO313/labs/identity-review directory.

   You can log in to Red Hat OpenShift cluster as the admin user with redhat as the password in the Red Hat OpenShift API URL at https://api.ocp4.example.com:6443.

   1. Create the Red Hat OpenShift identity provider in RH-SSO. To do so, change to the RH-SSO Firefox tab. Click Configure → Identity Providers. Select Openshift v4.

   2. Copy the Redirect URI field. Do not click Save yet.

   3. Open a new terminal window on the workstation machine. Log in to the ocp4.example.com cluster as the admin user.

      [student@workstation ~]$ oc login -u admin -p redhat \
        https://api.ocp4.example.com:6443

   4. Create the rhsso-identity project.

      [student@workstation ~]$ oc new-project rhsso-identity
      Now using project "rhsso-identity" on server "https://api.ocp4.example.com:6443".
      ...output omitted...

   5. Review the ocp-identity.yaml file that contains the definition of a OAuthClient custom resource. You can find the file in the ~/DO313/labs/identity-review directory. The redirectURIs field must be the same one you copied from RH-SSO. Take note of the name and secret values from the custom resource. Note that the redirectURI line has been split so that it displays correctly in the PDF guide.

      kind: OAuthClient
      apiVersion: oauth.openshift.io/v1
      metadata:
        name: ocp-identity
      secret: mysecret
      redirectURIs:
        - "https://sso.lab.example.com:8080/auth/realms/rhtraining/broker/openshift-v4/endpoint"
      grantMethod: prompt

   6. Use the oc command to create the ocp-identity OAuthClient custom resource in the rhsso-identity namespace.

      [student@workstation ~]$ oc create -f \
        ~/DO313/labs/identity-review/ocp-identity.yaml -n rhsso-identity
      oauthclient.oauth.openshift.io/ocp-identity created

      Close the terminal window.

   7. Change to the RH-SSO Firefox tab.

   8. Add a new identity provider of the type OpenShift v4. Fill the identity provider parameters as follows. Leave the rest of the parameters unchanged.

      Parameter	Value
      Display Name	OpenShift
      Client ID	ocp-identity
      Client Secret	mysecret
      Base URL	https://api.ocp4.example.com:6443

   9. Scroll down and click Save.

   Hide Solution

6. Test the Red Hat OpenShift user authentication in the finance-webapp application. Use the Red Hat OpenShift user developer with developer as the password. When prompted, fill in the parameters for the developer user just like the following table.

   Parameter	Value
   Username	developer
   Email	developer@example.com
   First name	John
   Last name	Doe

   1. Open a new private window in Firefox and navigate to the finance web application URL at http://localhost:8080/finance. Click Show my access token.

   2. Click OpenShift. When prompted, click htpasswd_provider and log in as the developer user with developer as the password.

   3. Click Allow selected permissions. The developer user consents to the Red Hat OpenShift identity provider to give the user information to RH-SSO.

   4. Fill the parameters for the developer user in the previous table.

   5. Click Submit.

   Hide Solution

7. Close all the Firefox windows. Close the application running in the terminal by pressing Ctrl+C. Change to the /home/student directory.

   [student@workstation finance-webapp]$ cd
   [student@workstation ~]$

   Hide Solution