Red Hat Single Sign-On Administration

Bookmark this page
P123456
PreviousNext

Guided Exercise: Configure Red Hat Single Sign-On on Red Hat OpenShift

  • Configure Red Hat Single Sign-On on Red Hat OpenShift using custom resource definitions.

Outcomes

  • Deploy a KeycloakRealm custom resource.

  • Deploy a KeycloakClient custom resource.

  • Deploy a KeycloakUser custom resource.

  • Verify configuration of Red Hat Single Sign-On.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command ensures that the RH-SSO operator is installed and deploys the Keycloak custom resource and finance-webapp application.

[student@workstation ~]$ lab start ocp-configsso

Procedure 5.2. Instructions

  1. Log in to your Red Hat OpenShift cluster as the admin user with the redhat password.

    The web console URL is https://console-openshift-console.apps.ocp4.example.com.

    1. From the workstation machine, navigate to the Red Hat OpenShift web console at https://console-openshift-console.apps.ocp4.example.com. When prompted, click htpasswd_provider and log in as the admin user with the redhat password.

  2. Access the finance-webapp application and retrieve the user access token for the application.

    1. Navigate to NetworkingRoutes and select config-project from the Project field to display the list of routes in the config-project project.

      Figure 5.14: Routes

    2. The Routes page shows the finance-webapp route. Click the Location URL to view the finance-webapp application front end.

    3. On the subsequent web page, append /finance to the URL to display the application.

    4. Click Show my access token to view the user access token. The page displays an OIDC Server is not available error.

      Figure 5.15: Access token error

  3. The lab start command creates a Keycloak custom resource. Verify that the Keycloak custom resource is available and has reconciling status. After the Keycloak custom resource is in the reconciling status, you can create the custom resources in subsequent steps.

    1. Open the terminal application on the workstation machine. Log in to the ocp4.example.com cluster as the admin user.

      [student@workstation ~]$ oc login -u admin -p redhat \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...

    2. Check the status of the Keycloak CRD.

      [student@workstation ~]$ oc get keycloak -n rhsso \
  -o jsonpath='{.items[0].status.phase}{"\n"}'
reconciling

      Note

      It takes 5-10 minutes for the status to update from initialising to reconciling. If the command returns initialising output, then wait for some time and rerun the command.

  4. Create a KeycloakRealm custom resource called configsso-realm in the ocp4.example.com cluster.

    1. Change to the ~/DO313/labs/ocp-configsso/ directory.

      [student@workstation ~]$ cd ~/DO313/labs/ocp-configsso/

    2. Review the file called 01keycloakrealm.yaml to deploy a keycloakRealm custom resource.

      [student@workstation ocp-configsso]$ cat 01keycloakrealm.yaml
...output omitted...
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  name: configsso-realm
  namespace: rhsso
  labels:
    app: sso
    realm: configsso-realm
spec:
  instanceSelector:
    matchLabels:
      app: sso
  realm:
    id: configsso-realm
    realm: configsso-realm
    enabled: True
    displayName: "Config Realm"

      The YAML file creates a realm called configsso-realm in RH-SSO.

    3. Use the oc command to create the configsso-realm KeycloakRealm custom resource in the rhsso namespace.

      [student@workstation ocp-configsso]$ oc create -f 01keycloakrealm.yaml
keycloakrealm.keycloak.org/configsso-realm created

  5. Create a KeycloakClient custom resource called configsso-client in the ocp4.example.com cluster.

    1. Edit the 02keycloakclient.yaml file to change the following parameters:

      Field nameValue
      name configsso-client
      clientId configsso-client
      secret configsso-client-secret 
      [student@workstation ocp-configsso]$ vim 02keycloakclient.yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: configsso-client
  namespace: rhsso
  labels:
    app: sso
    realm: configsso-realm
    client: configsso-client
spec:
  realmSelector:
    matchLabels:
      app: sso
      realm: configsso-realm
  client:
    clientId: configsso-client
    secret: configsso-client-secret
    defaultClientScopes:
      - email
      - offline_access
      - profile
      - roles
    implicitFlowEnabled: False
    standardFlowEnabled: True
    redirectUris:
      - http://finance-webapp-config-project.apps.ocp4.example.com/finance/*
    rootUrl: http://finance-webapp-config-project.apps.ocp4.example.com/finance

      The YAML file creates the configsso-client client in RH-SSO.

      Note

      The finance-webapp application is configured to use the configsso-client-secret for the quarkus.oidc.credentials.secret.

    2. Use the oc command to create the configsso-client KeycloakClient custom resource in the rhsso namespace.

      [student@workstation ocp-configsso]$ oc create -f 02keycloakclient.yaml
keycloakclient.keycloak.org/configsso-client created

  6. Create a KeycloakUser custom resource called configsso-user in the ocp4.example.com cluster.

    1. Edit the 03keycloakuser.yaml file to change the following parameters:

      Field nameValue
      name configsso-user
      username student
      credentials:value redhat
      user:enabled True
      user:emailVerified True
      [student@workstation ocp-configsso]$ vim 03keycloakuser.yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakUser
metadata:
  name: configsso-user
  namespace: rhsso
  labels:
    app: sso
    realm: configsso-realm
spec:
  realmSelector:
    matchLabels:
      app: sso
      realm: configsso-realm
  user:
    username: student
    credentials:
      - temporary: False
        type: password
        value: redhat
    firstName: student
    lastName: student
    email: student@example.com
    enabled: True
    emailVerified: True
    realmRoles:
      - offline_access

      The YAML file creates the configsso-user KeycloakUser custom resource. The KeycloakUser custom resource creates and enables a student user and redhat password for the user in the RH-SSO.

    2. Use the oc command to create the configsso-user KeycloakUser custom resource in the rhsso namespace.

      [student@workstation ocp-configsso]$ oc create -f 03keycloakuser.yaml
keycloakuser.keycloak.org/configsso-user created

  7. Access the finance-webapp application and retrieve the user access token.

    1. Navigate to the finance-webapp application at http://finance-webapp-config-project.apps.ocp4.example.com/finance.

    2. Click Show my access token to access the token.

    3. Log in as the student user with redhat as the password. The page displays a student user access token.

      Figure 5.16: Access token

    4. Close all the Firefox windows and change to the /home/student directory.

      [student@workstation ocp-configsso]$ cd ~
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish ocp-configsso

This concludes the section.

PreviousNext
Revision: do313-7.6-bc10333