DO313 - ch06s02

Bookmark this page

Lab: Install and Configure RH-SSO

Install and configure Red Hat Single Sign-On (RH-SSO) on Red Hat OpenShift, and use the RH-SSO user federation and role-base access control features to manage access for two different OpenID Connect secured applications.

Outcomes

Install Red Hat Single Sign-On on Red Hat OpenShift.
Deploy RH-SSO realm and clients by using custom resources.
Add Red Hat Identity Management (IdM) as a LDAP user federation provider in RH-SSO.
Synchronize users between RH-SSO and IdM.
Create and manage users, roles and groups in RH-SSO.
Use roles and groups to grant required user access for finance-webapp and marketing-restful-api applications.

If you did not reset your workstation and server machines at the end of the last chapter, then save any work you want to keep from earlier exercises on those machines, and reset them now.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start compreview-rhsso

Specifications

Install the RH-SSO instance on Red Hat OpenShift by using the RH-SSO operator:
- The Red Hat OpenShift web console URL is https://console-openshift-console.apps.ocp4.example.com.
- Use the htpasswd_provider option to log in to the Red Hat OpenShift web console as the admin user with redhat as the password.
- Create the rhsso namespace.
- Install the RH-SSO operator on the rhsso namespace.
- Use the keycloak external PostgreSQL database for the RH-SSO instance.
- The external PostgreSQL database address is sso.lab.example.com and the port is 5432.
- The external postgreSQL database, use the postgres username with postgres as the password.
- You can modify the ~/DO313/labs/compreview-rhsso/secret.yaml to create the secret for the external database.
- Create a do313-keycloak keycloak custom resource to install RH-SSO in the rhsso namespace.
Create a rhtraining realm by using the RH-SSO custom resource:
- You can modify the ~/DO313/labs/compreview-rhsso/01rhtraining-realm.yaml file to create the rhtraining realm.
- Create the custom resource in the rhsso namespace.
- Modify the YAML file to enable user registration for the rhtraining realm.
- Modify the YAML file to add a password policy to enhance password security by forcing all the users to have a password with a minimum length of 8 characters, and at least 1 special character.
Create and enable a client for the Quarkus finance-webapp application in the rhtraining realm by using the RH-SSO custom resource:
- The finance-webapp application is a server-side web application that uses the OpenID Connect authorization code flow as a confidential client to authenticate the application users. The application uses the Java Quarkus framework, and the Quarkus integration with OpenID Connect identity servers.
- You can modify the ~/DO313/labs/compreview-rhsso/02finance-webapp-client.yaml file to create a client for the finance-webapp application.
- Use the finance-webapp client ID for the client.
- The finance-webapp allows only the OpenID Connect authorization code flow (standard flow) as a confidential client.
- The root URL for the finance-webapp client is http://localhost:8080/finance.
- The finance-webapp application is configured to use comp-secret as the client secret.
Create and enable a client for the marketing-restful-api application in the rhtraining realm by using the RH-SSO custom resource:
- The finance-webapp application calls an external endpoint in the marketing-restful-api application. The marketing-restful-api application is a Node.js back-end service which serves REST endpoints. It uses the OpenID Connect authorization code flow as a bearer-only client. Thus, the application cannot initiate the login process, but RH-SSO can generate the access token for this client. The marketing-restful-api application uses the Node.js adapter from RH-SSO to integrate with the authentication server.
- You can modify the ~/DO313/labs/compreview-rhsso/03marketing-restful-api-client.yaml file to create a client for the marketing-restful-api application.
- Use the marketing-restful-api client ID for the client.
- The marketing-restful-api client must allow only the OpenID Connect authorization code flow (standard flow) as a bearer-only client.
- The root URL for the marketing-restful-api client is http://localhost:3000/campaign.

Create the LDAP IdM user federation provider to federate IdM by using the following parameters:

Parameter	Value
Edit Mode	READ_ONLY
Vendor	Red Hat Directory Server
UUID LDAP attribute	`ipaUniqueID`
Connection URL	ldap://idm.ocp4.example.com
Users DN	`cn=users,cn=accounts,dc=ocp4,dc=example,dc=com`
Bind DN	`uid=admin,cn=users,cn=accounts,dc=ocp4,dc=example,dc=com`
Bind Credential	`r3dh4t12342022`

Use the RH-SSO Admin Console to create the user federation provider and import users with the correct first name.
Retrieve the RH-SSO admin credentials and URL from secret and router resources created by the do313-keycloak keycloak custom resource.
The IdM console URL is https://idm.ocp4.example.com.
Use the admin user with the r3dh4t12342022 password to log in to the IdM web console.
Verify that IdM has the eric and mike users and synchronize all users to RH-SSO.
In RH-SSO, verify that the First Name field for the users is not correctly imported.
Modify the User Federation mappers to correctly import the first name from IdM and synchronize all users again.
Verify that both users are correctly imported.

Use the RH-SSO Admin Console to create RH-SSO realm roles to access the finance-webapp and marketing-restful-api applications. The following table shows the relationship between the roles and applications:
Table 6.1. Roles and Applications
Role Application
accountant finance-webapp
marketing-analyst marketing-restful-api
Run the finance-webapp and marketing-restful-api applications:
- The finance-webapp application is in the ~/DO313/labs/compreview-rhsso/finance-webapp directory.
- The finance-webapp application is started with the mvn quarkus:dev command.
- The marketing-restful-api application is in the ~/DO313/labs/compreview-rhsso/marketing-restful-api directory.
- The marketing-restful-api application is started with the npm install && npm run start commands.
Register a new sally user from the finance-webapp client. The application is at http://localhost:8080/finance. Register the new sally user based on the following criteria:
Field Value
First name Sally
Last name Allen
Email sally@example.com
Username sally
Password sallysally@
Confirm Password sallysally@

Role	Application
`accountant`	`finance-webapp`
`marketing-analyst`	`marketing-restful-api`

Field	Value
`First name`	`Sally`
`Last name`	`Allen`
`Email`	`sally@example.com`
`Username`	`sally`
`Password`	`sallysally@`
`Confirm Password`	`sallysally@`

Provide user access based on the following criteria:

Table 6.2. User Access and Endpoints

Users Access	Role	Application	Endpoint
All users	None (only authenticated)	`finance-webapp`	`http://localhost:8080/finance/showtokens`
Only `eric` and `sally`	`finance-webapp`	`accountant`	`http://localhost:8080/finance/showinvoices`
Only `mike` and `sally`	`marketing-restful-api`	`marketing-analyst`	`http://localhost:3000/campaign/list`

Create the managers group.
Assign accountant and marketing-analyst roles to the managers group.
Add eric and mike to accountant and marketing-analyst roles, respectively.
Add the sally user to the managers group to give access to both applications.
Verify all users access.
The passwords for eric and mike users are ericeric@ and mikemike@, respectively.

Install an RH-SSO instance on Red Hat OpenShift by using the RH-SSO operator.
1. From the workstation machine, navigate to the Red Hat OpenShift web console at https://console-openshift-console.apps.ocp4.example.com. When prompted, click htpasswd_provider and log in as the admin user with redhat as the password.
2. Navigate to Home → Projects and click Create Project. Type rhsso in the Name field and click Create.
3. Navigate to Operators → OperatorHub and type Single Sign-On in the Filter by keyword field.
4. Click Red Hat Single Sign-On Operator, and then click Install.
5. In the Installed Namespace dropdown menu, ensure that the rhsso namespace is selected. Do not change any field. Then, click Install. The installation can take a few minutes to complete.
6. Click View Operator to display the Operator details page.

Create the keycloak-db-secret secret pointing to the external database.

Open the terminal application on the workstation machine. Log in to the ocp4.example.com cluster as the admin user.

[student@workstation ~]$ oc login -u admin -p redhat \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...

Change to the ~/DO313/labs/compreview-rhsso/ directory.

[student@workstation ~]$ cd ~/DO313/labs/compreview-rhsso/

Edit the secret.yaml file to change the following parameters:

Field name	Value
name	`keycloak-db-secret`
`POSTGRES_DATABASE`	`keycloak`
`POSTGRES_EXTERNAL_ADDRESS`	`sso.lab.example.com`
`POSTGRES_EXTERNAL_PORT`	`5432`
`POSTGRES_PASSWORD`	`postgres`
`POSTGRES_USERNAME`	`postgres`

[student@workstation compreview-rhsso]$ vim secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: keycloak-db-secret
  namespace: rhsso
type: Opaque
stringData:
  POSTGRES_DATABASE: keycloak
  POSTGRES_EXTERNAL_ADDRESS: sso.lab.example.com
  POSTGRES_EXTERNAL_PORT: '5432'
  POSTGRES_PASSWORD: postgres
  POSTGRES_USERNAME: postgres

Use the oc command to create the keycloak-db-secret secret in the rhsso namespace.

[student@workstation compreview-rhsso]$ oc create -f secret.yaml
secret/keycloak-db-secret created

Create the do313-keycloak Keycloak custom resource.
1. Navigate to the Operators → Installed Operators menu, and click Red Hat Single Sign-On Operator.
2. Click Create instance in the Keycloak block.
3. On the Create Keycloak page, select YAML view to display the web console YAML editor.
  Update the YAML code as follows and then click Create.
```
kind: Keycloak
apiVersion: keycloak.org/v1alpha1
metadata:
name: do313-keycloak
  labels:
    app: sso
  namespace: rhsso
spec:
  externalAccess:
    enabled: true
  externalDatabase:
    enabled: true
  instances: 1
```
4. The do313-keycloak resource shows in the Keycloak tab. Wait for the Status to update from Phase:initialising to Phase:reconciling.
  Note
  It takes 5-10 minutes for the Status to update from Phase:initialising to Phase:reconciling.

Create a rhtraining realm by using RH-SSO custom resources.

Edit the 01rhtraining-realm.yaml file to change the following parameters:

Field name	Value
namespace	`rhsso`
id	`rhtraining`
`passwordPolicy`	`length(8) and specialChars(1)`
`registrationAllowed`	True

[student@workstation compreview-rhsso]$ vim 01rhtraining-realm.yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
  name: rhtraining
  namespace: rhsso
  labels:
    app: sso
spec:
  instanceSelector:
    matchLabels:
      app: sso
  realm:
    displayName: RH Training
    enabled: true
    id: rhtraining
    passwordPolicy: length(8) and specialChars(1)
    realm: rhtraining
    registrationAllowed: True

The YAML file creates a realm called rhtraining in RH-SSO.

Use the oc command to create the rhtraining KeycloakRealm custom resource in the rhsso namespace.

[student@workstation compreview-rhsso]$ oc create -f 01rhtraining-realm.yaml
keycloakrealm.keycloak.org/rhtraining created

Create and enable a client for the Quarkus finance-webapp application in the rhtraining realm by using RH-SSO custom resource.

Edit the 02finance-webapp-client.yaml file to change the following parameters:

Table 6.3. Finance-webapp client creation

Field name	Value
`namespace`	`rhsso`
`clientId`	`finance-webapp`
`secret`	`comp-secret`
`enabled`	true
`rootUrl`	'http://localhost:8080/finance'
`standardFlowEnabled`	true

[student@workstation compreview-rhsso]$ vim 02finance-webapp-client.yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: finance-webapp
  namespace: rhsso
  labels:
    app: sso
spec:
  client:
    clientId: finance-webapp
    secret: comp-secret
    clientAuthenticatorType: client-secret
    enabled: true
    name: finance-webapp
    rootUrl: 'http://localhost:8080/finance'
    standardFlowEnabled: true
    protocol: openid-connect
    defaultClientScopes:
      - email
      - offline_access
      - profile
      - roles
  realmSelector:
    matchLabels:
      app: sso

The YAML file creates the finance-webapp client in RH-SSO.

Use the oc command to create the finance-webapp KeycloakClient custom resource in the rhsso namespace.

[student@workstation compreview-rhsso]$ oc create -f 02finance-webapp-client.yaml
keycloakclient.keycloak.org/finance-webapp created

Create a client for the marketing-restful-api services applications in the rhtraining realm. The new client must allow only the OpenID Connect authorization code flow (standard flow) as a bearer-only client.

Edit the 03marketing-restful-api-client.yaml file to change the following parameters:

Table 6.4. Marketing Restful API client creation

Field	Value
`namespace`	`rhsso`
`clientId`	`marketing-restful-api`
`enabled`	true
`rootUrl`	'http://localhost:3000/campaign'
`standardFlowEnabled`	true
`bearerOnly`	true

[student@workstation compreview-rhsso]$ vim 03marketing-restful-api-client.yaml
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: marketing-restful-api
  namespace: rhsso
  labels:
    app: sso
spec:
  client:
    clientId: marketing-restful-api
    enabled: true
    name: marketing-restful-api
    rootUrl: 'http://localhost:3000/campaign'
    standardFlowEnabled: true
    protocol: openid-connect
    bearerOnly: true
    defaultClientScopes:
      - email
      - offline_access
      - profile
      - roles
  realmSelector:
    matchLabels:
      app: sso

The YAML file creates the marketing-restful-api client in RH-SSO.

Use the oc command to create the marketing-restful-api KeycloakClient custom resource in the rhsso namespace.

[student@workstation compreview-rhsso]$ oc create -f \
  03marketing-restful-api-client.yaml
keycloakclient.keycloak.org/marketing-restful-api created

Retrieve the credentials from the do313-keycloak keycloak.
1. On the Keycloaks page, click do313-keycloak to display details of the do313-keycloak resource.
2. Select the Resources tab, and click credential-do313-keycloak secret to retrieve credentials details.
3. On the Secret details page, scroll down to locate Data and click Reveal values.
4. The ADMIN_USERNAME value shows username admin. Copy the ADMIN_PASSWORD value to use in the log in step.
5. Navigate to Networking → Routes to display the list of routes for the rhsso project.
6. Click the keycloak route to display the route details. The Location field provides a link to the Keycloak instance. Click the link to access the RH-SSO Admin Console in a new tab.
7. On the RH-SSO Admin Console, click Administration Console. Then, log in as the admin user with the password retrieved in the preceding step. By default, the main page shows the Realm Settings menu for the rhtraining realm.

Create the LDAP IdM user federation provider to federate IdM by using the following parameters:

Parameter	Value
Console Display Name	LDAP IdM
Edit Mode	READ_ONLY
Vendor	Red Hat Directory Server
UUID LDAP attribute	`ipaUniqueID`
Connection URL	ldap://idm.ocp4.example.com
Users DN	`cn=users,cn=accounts,dc=ocp4,dc=example,dc=com`
Bind DN	`uid=admin,cn=users,cn=accounts,dc=ocp4,dc=example,dc=com`
Bind Credential	`r3dh4t12342022`

On the RH-SSO Admin Console, click Configure → User Federation. Click Add provider and select ldap.
Complete the user federation provider parameters just like the previous table. Scroll down and then click Save.
Click Synchronize all users. A pop-up shows that two users are imported to RH-SSO.
Click Manage → Users. Click View all users. Verify there are two users in the rhtraining realm: eric and mike.

In RH-SSO, verify that the First Name field for the user is not correctly imported. Modify the User Federation mappers to correctly import the first name from IdM.
1. Open a new Firefox tab and navigate to the IdM web UI URL at https://idm.ocp4.example.com.
2. Log in as the admin user with r3dh4t12342022 as the password. By default, the main page shows the Active users menu.
3. Verify that eric and mike are active users on IdM by looking at the enabled users.
4. Verify that the first name for the eric user is Eric and the first name for the mike user is Mike.
5. Change to the RH-SSO Firefox tab and click Manage → Users. Click View all users.
6. Verify that the First Name field is not correctly imported for both eric and mike users.
7. Modify the User Federation mappers to correctly import the first name from IdM. Click Configure → User Federation. Click LDAP IdM.
8. Click the Mappers tab. Click the first name mapper.
9. Modify the LDAP Attribute field to givenname. Click Save.
10. Update the user fields. Click Configure → User Federation. Click LDAP IdM. Click Synchronize all users. A pop-up shows that two users are updated.
11. Verify the first name for the eric and mike users are correct. Click Manage → Users. Verify that the First Name field is correctly imported for both eric and mike users.
Create RH-SSO realm roles to access the finance-webapp and marketing-restful-api applications. The following table shows the relationship between the roles and the application.
Table 6.5. Roles and Applications
Role Application
accountant finance-webapp
marketing-analyst marketing-restful-api
1. From the RH-SSO Admin Console, click Configure → Roles. Then, click Add Role.
2. Type accountant in the Role Name field. Then, click Save.
3. Click Configure → Roles. Then, click Add Role.
4. Type marketing-analyst in the Role Name field. Then, click Save.

Role	Application
`accountant`	`finance-webapp`
`marketing-analyst`	`marketing-restful-api`

Run the finance-webapp and marketing-restful-api applications.

Open the new terminal tab on the workstation machine and change to the ~/DO313/labs/compreview-rhsso/finance-webapp directory.
```
[student@workstation ~]$ cd ~/DO313/labs/compreview-rhsso/finance-webapp
```

From the terminal, compile and run the application.

[student@workstation finance-webapp]$ mvn quarkus:dev
...output omitted...
2022-12-15 07:41:26,210 INFO  [io.quarkus] (Quarkus Main Thread) finance-webapp 1.0.0-SNAPSHOT on JVM (powered by Quarkus 2.14.2.Final) started in 3.001s. Listening on: http://localhost:8080
2022-12-15 07:41:26,211 INFO  [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.
2022-12-15 07:41:26,211 INFO  [io.quarkus] (Quarkus Main Thread) Installed features: [cdi, oidc, oidc-client, oidc-token-propagation, qute, reactive-routes, rest-client, rest-client-jackson, resteasy, resteasy-qute, security, servlet, smallrye-context-propagation, smallrye-jwt, vertx]

 --
Tests paused
Press [r] to resume testing, [o] Toggle test output, [:] for the terminal, [h] for more options>

Note

The application can take some minutes downloading dependencies.

Leave the terminal open.

Open a new terminal application on the workstation machine, and change to the ~/DO313/labs/compreview-rhsso/marketing-restful-api directory.
```
[student@workstation ~]$ cd ~/DO313/labs/compreview-rhsso/marketing-restful-api
```

From the terminal, install dependencies and run the application.

[student@workstation marketing-restful-api]$ npm install && npm run start
...oupout omitted...
> marketing-restful-api@0.0.1 start /home/student/DO313/labs/auth-review/marketing-restful-api
> node app.js

Started at port 3000

Note

The application can take some minutes downloading dependencies.

Leave the terminal open.

Register a new sally user from the finance-webapp client. The application is at http://localhost:8080/finance. Register the new sally user based on the following criteria:
Field Value
First name Sally
Last name Allen
Email sally@example.com
Username sally
Password sallysally@
Confirm Password sallysally@
1. Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance. Click Show my access token.
2. In the rhtraining realm login page click Register.
3. Register the sally user based on the criteria from the previous table. Click Register.
4. The page displays the access token for the sally user. Close the Firefox private window.
Assign the accountant role to the eric user and the marketing-analyst role to the mike user.
1. Assign the accountant role to the eric user. From the RH-SSO Admin Console, navigate to Manage → Users.
2. Click Edit in the eric users row. Then, navigate to the Role Mappings tab.
3. Select the accountant role in the list of Available Roles, and click Add Selected. The accountant role moves to Assigned Roles and Effective Roles.
4. Assign the marketing-analyst role to the mike user. From the RH-SSO Admin Console, navigate to Manage → Users.
5. Click Edit in the mike users row. Then, navigate to the Role Mappings tab.
6. Select the marketing-analyst role in the list of Available Roles, and click Add Selected. The marketing-analyst role moves to Assigned Roles and Effective Roles.
Assign the accountant and marketing-analyst roles to the sally user by using the managers group.
1. From the RH-SSO Admin Console, click Manage → Groups. Then click New. Type managers as the group name, and click Save.
2. Click the Role Mappings tab. Then, select the accountant role in the list of available roles, and click Add Selected. Select the marketing-analyst role in the list of available roles, and click Add Selected.
3. Add the sally user to the managers group. From the RH-SSO Admin Console, navigate to Manage → Users.
4. Click Edit in the sally users row. Then, navigate to the Groups tab, select the managers group, and click Join.

Field	Value
`First name`	`Sally`
`Last name`	`Allen`
`Email`	`sally@example.com`
`Username`	`sally`
`Password`	`sallysally@`
`Confirm Password`	`sallysally@`

Verify all users access based on the following criteria:

Table 6.6. User Access and Endpoints

Users Access	Role	Application	Endpoint
All users	None (only authenticated)	`finance-webapp`	`http://localhost:8080/finance/showtokens`
Only `eric` and `sally`	`accountant`	`finance-webapp`	`http://localhost:8080/finance/showinvoices`
Only `mike` and `sally`	`marketing-analyst`	`marketing-restful-api`	`http://localhost:3000/campaign/list`

Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.
Click Show my access token. Log in with the eric user, with ericeric@ as the password. The page displays the user access token.
Click /showinvoices. The eric user can see the list of invoices because the user has the required role.
Click External API to access the list of campaigns. The eric user cannot see the list of campaigns because the user is not in the marketing-analyst role. Close the Firefox private window.
Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.
Click Show my access token. Log in with the mike user, with mikemike@ as the password. The page displays the user access token.
Click External API to access the list of campaigns. The mike user can see the list of campaigns because the user has the required role.
Click /showinvoices. The mike user cannot see the list of invoices because the user is not in the accountant role. Close the Firefox private window.
Open a new Firefox private window and navigate to the finance web application at http://localhost:8080/finance.
Click Show my access token. Log in with the sally user, with sallysally@ as the password. The page displays the user access token.
Click /showinvoices. The sally user, in the managers group, can see the list of invoices because the group has the required role.
Click External API to access the list of campaigns. The sally user, in the managers group, can see the list of invoices because the group has the required role. Close the Firefox private window.

Close all the Firefox windows and close all the applications running in the terminal by pressing Ctrl+C. Change to the /home/student directory.
```
[student@workstation compreview-rhsso]$ cd
[student@workstation ~]$
```

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-rhsso

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-rhsso

This concludes the section.

Revision: do313-7.6-bc10333

Red Hat Single Sign-On Administration

Lab: Install and Configure RH-SSO

Note

Note

Note

Lab Controls