Red Hat Security: Identity Management and Authentication
- Section Implementing Single Sign-on
- Guided Exercise: Implementing Single Sign-on
- Integrating IdM with Red Hat Satellite
- Guided Exercise: Integrating IdM with Red Hat Satellite
- Configuring Automation Controller with IdM Authentication
- Guided Exercise: Configuring Automation Controller with IdM Authentication
- Lab: Integrating Identity Management with Red Hat Utilities
- Summary
Abstract
| Goal |
Integrate an Identity Management deployment with Red Hat's single sign-on technology, Red Hat Satellite, and Red Hat Ansible Automation Platform. |
| Objectives |
|
| Sections |
|
| Lab |
|
Configure Red Hat's single sign-on technology to get information from the IdM service and use it for authentication.
Red Hat's single sign-on (SSO) technology enables applications to authenticate users from a federated identity manager. It can act as an integration platform to provide user authentication from existing LDAP or Active Directory servers, and you can use it to delegate authentication to third-party identity providers such as Google, GitHub, or other social networks.
Red Hat's single sign-on technology supports the OpenID Connect, OAuth 2.0, and Security Assertion Markup Language (SAML) protocols.
The following list describes some relevant benefits of SSO:
Identity federation: SSO enables users to access distinct web, mobile, and desktop applications using a single set of credentials.
Improved network security: Users authenticate once to the SSO server instead of once for each application.
Centralized accounts: User accounts are stored in one system, rather than having a distinct user database for each application.
Simplified maintenance: Administrators manage one database or a small set of databases instead of one for each application.
Better user experience: Users enter their passwords only once to access multiple applications.
Red Hat's single sign-on technology is implemented using a separate server that you manage on your network. You use the web UI to configure this server to use identity management sources. You configure applications to use the server as a federated identity provider by pointing them at the server, and they communicate using open protocol standards such as OpenID Connect or SAML 2.0.
For example, you could configure a web application such as the automation controller component of Red Hat Ansible Automation Platform to authenticate its users by communicating with your SSO server, which is acting as an identity provider. The SSO server could itself be configured to authenticate those users by getting information stored on your IdM server.
To install the server for Red Hat's single sign-on technology on a Red Hat Enterprise Linux 9 system, first you must enable the rh-sso-7.6-for-rhel-9-x86_64-rpms RPM repository.
Next, install Java Runtime Environment version 1.8.0, which is provided in the java-1.8.0-openjdk-headless package, and the rh-sso7 package group.
The server must allow network traffic through its firewall to the following TCP ports:
8080
9990
443
Lastly, enable and start the rh-sso7 service.
Most organizations already have a user identity store such as Microsoft Active Directory or Identity Management. Rather than creating and managing user identities in SSO, you can integrate with the existing identity store.
To integrate SSO with IdM, the SSO server must be registered to the IdM realm as a client. You must then configure user federation to use IdM as an LDAP identity store.
Use the following procedure to configure the SSO server as an IdM client.
Register the SSO server to the IdM realm:
[user@host ~]$ ipa-client-install --domain example.com \
--server idm.example.com --realm EXAMPLE.COM
...output omitted...From the SSO web console, navigate to → and verify you are in the desired realm.
Navigate to → , click , and then select ldap from the list.
 |
Use the following values to configure IdM as the LDAP provider:
| Property | Value |
|---|---|
| Enabled |
ON
|
| Console Display Name |
ldap
|
| Priority | 0 |
| Import Users |
ON
|
| Edit Mode |
READ_ONLY
|
| Sync Registrations |
OFF
|
| Vendor |
Red Hat Directory Server
|
| Username LDAP attribute |
uid
|
| RDN LDAP attribute |
uid
|
| UUID LDAP attribute |
ipaUniqueID
|
| User Object Classes |
inetOrgPerson, organizationalPerson
|
| Connection URL |
ldaps://idm.example.com:636
|
| Users DN |
cn=users,cn=accounts,dc=example,dc=com
|
| Search Scope |
One Level
|
| Bind Type |
simple
|
| Bind DN |
uid=admin,cn=users,cn=accounts,dc=example,dc=com
|
| Bind Credential |
some_password
|
Click and then click .
After synchronization, SSO can use the IdM LDAP user database for authenticating users to applications.
References
Integrating Identity Management with Single Sign-on for Red Hat Solutions
For more information about single sign-on user federation using LDAP, refer to the Lightweight Directory Access Protocol (LDAP) and Active Directory section of the Using External Storage chapter of the Red Hat single sign-on Server Administration Guide at Server Administration Guide
