RH SSO User Federation with Red Hat idM (FreeIPA)

In today’s digital world, user authentication is crucial for ensuring the security of web applications. While some web applications support Kerberos Single Sign On (SSO), others rely on OpenID and SAML authentication. This is where Red Hat SSO (RH SSO) comes in, providing a solution to federate users from various sources.

In this blog, we will explore how to use RH SSO and Red Hat idM (FreeIPA) to authenticate web users. RH SSO, a JBoss application, offers Single Sign On for online applications with OpenID and SAML2. One of its standout features is the ability to use Kerberos tickets to replace password-based authentication, adding an extra layer of convenience and security.

What is RH SSO

Red Hat SSO is a JBoss application that can federate users from a variety of LDAP servers, including 389-Server, OpenLDAP, and Microsoft Active Directory. It provides Single Sign On (SSO) for online applications with OpenID and SAML2.  

The ability to use Kerberos tickets from clients to replace password-based authentication is a very neat feature. 

Requirements 

The following guide is based on the commercially supported products provided by Red Hat, namely RHEL8, Red Hat SSO and Red Hat idM. It is expected that this guide will also work with the upstream products: Keycloak (Red Hat SSO) and FreeIPA (Red Hat idM).  

• A base installation of RHEL8  
• A subscription for RHEL8 and JBoss EAP 
• A configured and working FreeIPA/Red Hat IdM environment
• An instance of WordPress (optional) 

My setup consists of:  

• Three (3) idM servers (one primary and two replicas) 
• Two (2) RH SSO servers in a HA configuration (the configuration is not in scope for this document) 
• Two (2) mariadb/galera servers in HA configuration for RH SSO 

The following system specs have been used for the setup presented above:  

• CPU: 4vCPUs 
• Memory: 4GB  
• Disk: 60GB  

Integration with Red Hat idM 

Ensure your SSO server is enrolled in the idM domain.  

We need to do some preparation work:  

• Create Kerberos Service Principal for the HTTP server  
• Fetching the Kerberos Keytab  

Create the Kerberos Service Principal 

• Log into the RH SSO server
• Obtain the admin kerberos ticket

subscription-manager register   subscription-manager attach --pool=pool_number 

kinit admin   klist  

• Create Service Principal  

ipa service-add HTTP/rhsso01.example.net 

• Download the keytab 

ipa-getkeytab -p HTTP/rhsso01.example.net -s idm01.example.net -k /etc/krb5-keycloak.keytab 

• Set correct permissions for the keytab 

chown root /etc/krb5-keycloak.keytab   chgrp jboss /etc/krb5-keycloak.keytab   chmod 640 /etc/krb5-keycloak.keytab 

Create the user for ldap bind

• Log into one of the idM servers 
• Run the following ldapmodify command

[root@idm01 ~]# ldapmodify -x -D 'cn=Directory Manager' -W <<EOF                                                                                                                                dn: uid=ssobind,cn=sysaccounts,cn=etc,dc=example,dc=net   changetype: add   objectclass: account   objectclass: simplesecurityobject   uid: system   userPassword: tower123   passwordExpirationTime: 20320101000000Z   nsIdleTimeout: 0   EOF 

The above command has to be modified to meet your requirements, where:  

DN	Description
uid=ssobind	This is the bind user. It can be whatever you choose
dc=example,dc=net	This is your domain
userPassword	This is the password. Make it simple.
passwordExpirationTime	Depending on when you are reading this … you might modify this date

• Verify the bind user and the password 

ldapsearch -D \ "uid=ssobind,cn=sysaccounts,cn=etc,dc=example,dc=net " \   -W -h idm01.example.net \   -b "cn=accounts,dc=example,dc=net" \   uid=nesiuser01 

We are ready to create the User Federation 

Create RH SSO User Federation

• Log into RH SSO using browser 
• Select the Realm you want to modify (top right corner) 
• Click on User Federation and click Add Provider 
• Fill out the form as following:  

Option	Setting
Edit Mode	READ_ONLY
Vendor	Red Hat Directory Server
Username LDAP Attribute	uid
RDN LDAP attribute	Uid
UUID LDAP attribute	ipaUniqueID
User Object Class	inetOrgPerson, organizationalPerson
Connexion URL	ldaps://idm01.example.net
Users DN	cn=users,cn=accounts,dc=example,dc=net
Authentication Type	Simple
Bind DN	uid=ssobind,cn=sysaccounts,cn=etc,dc=example,dc=net
Bind Credential	your password
Allow Kerberos authentication	On
Kerberos Realm	EXAMPLE.NET
Server Principal	HTTP/rhsso01.example.net
Keytab	/etc/krb5-keycloak.keytab
Use Kerberos For Password Authentication	On

• Save the configuration
• Click on Test Connexion (next to Connexion URL) to verify connexion to ldap server
• Click Test authentication to verify the bind user/password 
• Click on Synchronize all users. If you have any users in the idM, you should be able to see something like:  

• Navigate to Users and click ‘View all users. You should be able to see all the imported users 

If you want to learn more about RH SSO User Federation with Red Hat idM and how it can benefit your web applications, contact us today! Our team of experts is ready to assist you in implementing this solution and enhancing the security of your digital assets.