Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

19.5. Installing and Configuring Red Hat Single Sign-On

To use Red Had Single Sign-On as your authorization method, you need to:

  • Install Red Hat SSO.
  • Configure the LDAP group mapper.
  • Configure Apache on the Manager.
  • Configure OVN provider credentials.
Note

If Red Hat SSO is configured, previous LDAP sign ons will not work, as only a single authorization protocol may be used at a time.

19.5.1. Installing Red Hat Single Sign-On
Link kopieren

You can install Red Hat Single Sign-On by downloading a ZIP file and unpacking it, or by using an RPM file.

Follow the installation instructions at Red Hat SSO Installation

Prepare the following information:

  • Path/location of the Open ID Connect server.
  • The subscription channel for the correct repositories.
  • Valid Red Hat subscription login credentials.

19.5.2. Configuring the LDAP group mapper
Link kopieren

  1. Add the LDAP groups mapper with the following information:

    • Name: ldapgroups
    • Mapper Type: group-ldap-mapper
    • LDAP Groups DN: ou=groups,dc=example,dc=com
    • Group Object Classes: groupofuniquenames (adapt this class according to your LDAP server setup)
    • Membership LDAP Attribute: uniquemember (adapt this class according to your LDAP server setup)
  2. Click Save.
  3. Click Sync LDAP Groups to KeyCloak.
  4. At the bottom of the User Federation Provider page, click Synchronize all users.
  5. In the Clients tab, under Add Client, add ovirt-engine as the Client ID, and enter the engine url as the Root URL.
  6. Modify the Client Protocol to openid-connect and the Access Type to confidential.
  7. In the Clients tab, under Ovirt-engine > Advanced Settings, increase the Access Token Lifespan.
  8. Add https://rhvm.example.com:443/* as a valid redirect URI.
  9. The client secret is generated, and can be viewed in the Credentials tab.

  10. In the Clients tab under Create Mapper Protocol, create a mapper with the following settings:

    • Name: groups
    • Mapper Type: Group Membership
    • Token Claim Name: groups
    • Full group path: ON
    • Add to ID token: ON
    • Add to access token: ON
    • Add to userinfo: ON
  11. Add the Builtin Protocol Mapper for username.
  12. Create the scopes needed by ovirt-engine, ovirt-app-api and ovirt-app-admin.
  13. Use the scopes created in the previous step to set up optional client scopes for the ovirt-engine client.

19.5.3. Configuring Apache in the Manager
Link kopieren

  1. Configure Apache in the Manager. 

    # yum install mod_auth_openidc
    Copy to Clipboard Toggle word wrap

  2. Create a new httpd config file ovirt-openidc.conf in /etc/httpd/conf.d with the following content: 

    LoadModule auth_openidc_module modules/mod_auth_openidc.so

OIDCProviderMetadataURL https://SSO.example.com/auth/realms/master/.well-known/openid-configuration
OIDCSSLValidateServer Off

OIDCClientID ovirt-engine
OIDCClientSecret <client_SSO _generated_key>
OIDCRedirectURI https://rhvm.example.com/ovirt-engine/callback
OIDCDefaultURL https://rhvm.example.com/ovirt-engine/login?scope=ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E

# maps the prefered_username claim to the REMOTE_USER environment variable:

OIDCRemoteUserClaim <preferred_username>
OIDCCryptoPassphrase <random1234>

<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
    <If "req('Authorization') !~ /^(Bearer|Basic)/i">

      Require valid-user
      AuthType openid-connect

      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
    </If>
</LocationMatch>

OIDCOAuthIntrospectionEndpoint https://SSO.example.com/auth/realms/master/protocol/openid-connect/token/introspect
OIDCOAuthSSLValidateServer    Off
OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
OIDCOAuthClientID ovirt-engine
OIDCOAuthClientSecret <client_SSO _generated_key>
OIDCOAuthRemoteUserClaim sub

<LocationMatch ^/ovirt-engine/(api$|api/)>
   AuthType oauth20
   Require valid-user
</LocationMatch>
    Copy to Clipboard Toggle word wrap

  3. To save the configuration changes, restart httpd and ovirt-engine: 

    # systemctl restart httpd
# systemctl restart ovirt-engine
    Copy to Clipboard Toggle word wrap

  4. Create the file openidc-authn.properties in /etc/ovirt-engine/extensions.d/ with the following content: 

    ovirt.engine.extension.name = openidc-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = openidchttp
ovirt.engine.aaa.authn.authz.plugin = openidc-authz
ovirt.engine.aaa.authn.mapping.plugin = openidc-http-mapping
config.artifact.name = HEADER
config.artifact.arg = OIDC_CLAIM_preferred_username
    Copy to Clipboard Toggle word wrap

  5. Create the file openidc-http-mapping.properties in /etc/ovirt-engine/extensions.d/ with the following content: 

    ovirt.engine.extension.name = openidc-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = false
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}
    Copy to Clipboard Toggle word wrap

  6. Create the file openidc-authz.properties in /etc/ovirt-engine/extensions.d/ with the following content: 

    ovirt.engine.extension.name = openidc-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.artifact.name.arg = OIDC_CLAIM_preferred_username
config.artifact.groups.arg = OIDC_CLAIM_groups
    Copy to Clipboard Toggle word wrap

  7. Create the file 99-enable-external-auth.conf in /etc/ovirt-engine/engine.conf.d/ with the following content: 

    ENGINE_SSO_ENABLE_EXTERNAL_SSO=true
ENGINE_SSO_EXTERNAL_SSO_LOGOUT_URI="${ENGINE_URI}/callback"
EXTERNAL_OIDC_USER_INFO_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/userinfo
EXTERNAL_OIDC_TOKEN_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/token
EXTERNAL_OIDC_LOGOUT_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/logout
EXTERNAL_OIDC_CLIENT_ID=ovirt-engine
EXTERNAL_OIDC_CLIENT_SECRET="<client_SSO _generated_key>"
EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE_PASSWORD=""
EXTERNAL_OIDC_SSL_VERIFY_CHAIN=false
EXTERNAL_OIDC_SSL_VERIFY_HOST=false
    Copy to Clipboard Toggle word wrap

19.5.4. Configuring OVN
Link kopieren

If you configured the ovirt-ovn-provider in the Manager, you need to configure the OVN provider credentials.

  1. Create the file 20-setup-ovirt-provider-ovn.conf in /etc/ovirt-provider-ovn/conf.d/ with the following content, where user1 belongs to the LDAP group ovirt-administrator, and openidchttp is the profile configured for aaa-ldap-misc. 

    [OVIRT]
# ovirt-admin-user-name=user1@openidchttp
    Copy to Clipboard Toggle word wrap

  2. Restart the ovirt-provider-ovn: 

    # systemctl restart ovirt-provider-ovn
    Copy to Clipboard Toggle word wrap
  3. Log in to the Administration Portal, navigate to Administration Providers, select ovirt-provider-ovn, and click Edit to update the password for the ovn provider.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat