The following guide is based on the commercially supported products provided by Red Hat, namely RHEL8, Red Hat SSO and Red Hat idM. It is expected that this guide will also work with the upstream products: Keycloak (Red Hat SSO) and FreeIPA (Red Hat idM). <\/p>\n\n\n\n
- \n
- A base installation of RHEL8 <\/li>\n\n\n\n
- A subscription for RHEL8 and JBoss EAP <\/li>\n\n\n\n
- A configured and working FreeIPA\/Red Hat IdM environment<\/li>\n\n\n\n
- An instance of WordPress (optional) <\/li>\n<\/ul>\n\n\n\n
My setup consists of: <\/p>\n\n\n\n
- \n
- Three (3) idM servers (one primary and two replicas) <\/li>\n\n\n\n
- Two (2) RH SSO servers in a HA configuration (the configuration is not in scope for this document) <\/li>\n\n\n\n
- Two (2) mariadb\/galera servers in HA configuration for RH SSO <\/li>\n<\/ul>\n\n\n\n
The following system specs have been used for the setup presented above: <\/p>\n\n\n\n
- \n
- CPU: 4vCPUs <\/li>\n\n\n\n
- Memory: 4GB <\/li>\n\n\n\n
- Disk: 60GB <\/li>\n<\/ul>\n\n\n\n
Integration with Red Hat idM<\/strong> <\/p>\n\n\n\n
Ensure your SSO server is enrolled in the idM domain. <\/p>\n\n\n\n
We need to do some preparation work: <\/p>\n\n\n\n
- \n
- Create Kerberos Service Principal for the HTTP server <\/li>\n\n\n\n
- Fetching the Kerberos Keytab <\/li>\n<\/ul>\n\n\n\n
Create the Kerberos Service Principal<\/strong> <\/p>\n\n\n\n
- \n
- Log into the RH SSO server<\/li>\n\n\n\n
- Obtain the admin kerberos ticket<\/li>\n<\/ul>\n\n\n\n
subscription-manager register \n\nsubscription-manager attach --pool=pool_number <\/code><\/pre>\n\n\n\nkinit admin \n\nklist <\/code><\/pre>\n\n\n\n- \n
- Create Service Principal <\/li>\n<\/ul>\n\n\n\n
ipa service-add HTTP\/rhsso01.example.net <\/code><\/pre>\n\n\n\n- \n
- Download the keytab <\/li>\n<\/ul>\n\n\n\n
ipa-getkeytab -p HTTP\/rhsso01.example.net -s idm01.example.net -k \/etc\/krb5-keycloak.keytab <\/code><\/pre>\n\n\n\n- \n
- Set correct permissions for the keytab <\/li>\n<\/ul>\n\n\n\n
chown root \/etc\/krb5-keycloak.keytab \n\nchgrp jboss \/etc\/krb5-keycloak.keytab \n\nchmod 640 \/etc\/krb5-keycloak.keytab <\/code><\/pre>\n\n\n\nCreate the user for ldap bind<\/h2>\n\n\n\n
- \n
- Log into one of the idM servers <\/li>\n\n\n\n
- Run the following ldapmodify command<\/li>\n<\/ul>\n\n\n\n
[root@idm01 ~]# ldapmodify -x -D 'cn=Directory Manager' -W <<EOF \n\ndn: uid=ssobind,cn=sysaccounts,cn=etc,dc=example,dc=net \n\nchangetype: add \n\nobjectclass: account \n\nobjectclass: simplesecurityobject \n\nuid: system \n\nuserPassword: tower123 \n\npasswordExpirationTime: 20320101000000Z \n\nnsIdleTimeout: 0 \n\nEOF <\/code><\/pre>\n\n\n\nThe above command has to be modified to meet your requirements, where: <\/p>\n\n\n\n
DN <\/td> Description <\/td><\/tr> uid=ssobind<\/strong> <\/td> This is the bind user. It can be whatever you choose <\/td><\/tr> dc=example,dc=net<\/strong> <\/td> This is your domain <\/td><\/tr> userPassword<\/strong> <\/td> This is the password. Make it simple. <\/td><\/tr> passwordExpirationTime<\/strong> <\/td> Depending on when you are reading this \u2026 you might modify this date <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n - \n
- Verify the bind user and the password <\/li>\n<\/ul>\n\n\n\n
ldapsearch -D \"uid=ssobind,cn=sysaccounts,cn=etc,dc=example,dc=net \" \n\n-W -h idm01.example.net \n\n-b \"cn=accounts,dc=example,dc=net\" \n\nuid=nesiuser01 <\/code><\/pre>\n\n\n\nWe are ready to create the User Federation <\/p>\n\n\n\n
Create RH SSO User Federation<\/h2>\n\n\n\n
- \n
- Log into RH SSO using browser <\/li>\n\n\n\n
- Select the Realm you want to modify (top right corner) <\/li>\n\n\n\n
- Click on User Federation and click Add Provider <\/li>\n\n\n\n
- Fill out the form as following: <\/li>\n<\/ul>\n\n\n\n
Option<\/strong> <\/td> Setting<\/strong> <\/td><\/tr> Edit Mode<\/strong> <\/td> READ_ONLY <\/td><\/tr> Vendor<\/strong> <\/td> Red Hat Directory Server <\/td><\/tr> Username LDAP Attribute<\/strong> <\/td> uid <\/td><\/tr> RDN LDAP attribute<\/strong> <\/td> Uid <\/td><\/tr> UUID LDAP attribute<\/strong> <\/td> ipaUniqueID <\/td><\/tr> User Object Class<\/strong> <\/td> inetOrgPerson, organizationalPerson <\/td><\/tr> Connection URL<\/strong> <\/td> ldaps:\/\/idm01.example.net <\/td><\/tr> Users DN<\/strong> <\/td> cn=users,cn=accounts,dc=example,dc=net <\/td><\/tr> Authentication Type<\/strong> <\/td> Simple <\/td><\/tr> Bind DN<\/strong> <\/td> uid=ssobind,cn=sysaccounts,cn=etc,dc=example,dc=net <\/td><\/tr> Bind Credential<\/strong> <\/td> your password <\/td><\/tr> Allow Kerberos authentication<\/strong> <\/td> On <\/td><\/tr> Kerberos Realm<\/strong> <\/td> EXAMPLE.NET <\/td><\/tr> Server Principal<\/strong> <\/td> HTTP\/rhsso01.example.net <\/td><\/tr> Keytab<\/strong> <\/td> \/etc\/krb5-keycloak.keytab <\/td><\/tr> Use Kerberos For Password Authentication<\/strong> <\/td> On <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n ![\"\"](\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/08\/image-7.png\")
<\/figure>\n\n\n\n- \n
- Save the configuration<\/li>\n\n\n\n
- Click on Test Connection (next to Connection URL) to verify connection to ldap server<\/li>\n\n\n\n
- Click Test authentication to verify the bind user\/password <\/li>\n\n\n\n
- Click on Synchronize all users. If you have any users in the idM, you should be able to see something like: <\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/www.insentragroup.com\/us\/wp-content\/uploads\/sites\/21\/2023\/08\/image-8.png\")
<\/figure>\n\n\n\n- \n
- Navigate to Users and click \u2018View all users. You should be able to see all the imported users <\/li>\n<\/ul>\n\n\n\n
If you want to learn more about RH SSO User Federation with Red Hat idM and how it can benefit your web applications, contact us<\/a> today! Our team of experts is ready to assist you in implementing this solution and enhancing the security of your digital assets.\u00a0<\/p>\n\n\n\n
- Navigate to Users and click \u2018View all users. You should be able to see all the imported users <\/li>\n<\/ul>\n\n\n\n
- Verify the bind user and the password <\/li>\n<\/ul>\n\n\n\n
- Set correct permissions for the keytab <\/li>\n<\/ul>\n\n\n\n
- Download the keytab <\/li>\n<\/ul>\n\n\n\n
- Create Service Principal <\/li>\n<\/ul>\n\n\n\n