Red Hat SummitChapter 50. Using external identity providers to authenticate to IdM
You can associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow.
When these users authenticate with the SSSD they receive RHEL Identity Management (IdM) single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.
Notable features include:
-
Adding, modifying, and deleting references to external IdPs with
ipa idp-*commands. Enabling IdP authentication for users with the
ipa user-mod --user-auth-type=idpcommand.- What is supported
-
Logging in remotely via SSH with the
keyboard-interactiveauthentication method enabled, which allows calling Pluggable Authentication Module (PAM) libraries. -
Logging in locally with the console via the
logindservice. Retrieving a Kerberos ticket-granting ticket (TGT) with the
kinitutility.- What is currently not supported
- Logging in to the IdM WebUI directly. To log in to the IdM WebUI, you must first acquire a Kerberos ticket.
- Logging in to Cockpit WebUI directly. To log in to the Cockpit WebUI, you must first acquire a Kerberos ticket.
50.1. The benefits of connecting IdM to an external IdP
As an administrator, you might want to allow users stored in an external identity source, such as a cloud services provider, to access RHEL systems joined to your Identity Management (IdM) environment. To achieve this, you can delegate the authentication and authorization process of issuing Kerberos tickets for these users to that external entity.
You can use this feature to expand IdM’s capabilities and allow users stored in external identity providers (IdPs) to access Linux systems managed by IdM.
50.2. How IdM incorporates logins via external IdPs
SSSD 2.7.0 contains the sssd-idp package, which implements the idp Kerberos pre-authentication method. This authentication method follows the OAuth 2.0 Device Authorization Grant flow to delegate authorization decisions to external IdPs:
-
An IdM client user initiates OAuth 2.0 Device Authorization Grant flow, for example, by attempting to retrieve a Kerberos TGT with the
kinitutility at the command line. - A special code and website link are sent from the Authorization Server to the IdM KDC backend.
- The IdM client displays the link and the code to the user. In this example, the IdM client outputs the link and code on the command line.
The user opens the website link in a browser, which can be on another host, a mobile phone, and so on:
- The user enters the special code.
- If necessary, the user logs in to the OAuth 2.0-based IdP.
- The user is prompted to authorize the client to access information.
- The user confirms access at the original device prompt. In this example, the user hits the Enter key at the command line.
- The IdM KDC backend polls the OAuth 2.0 Authorization Server for access to user information.
50.3. Creating a reference to an external identity provider
You can create IdP references in IdM to connect external identity providers (IdPs) to your Identity Management (IdM) environment. You can create a reference called my-keycloak-idp to an IdP based on the Keycloak template. For more reference templates, see Example references to different external IdPs in IdM.
Prerequisites
- You have registered IdM as an OAuth application to your external IdP, and obtained a client ID.
- You can authenticate as the IdM admin account.
Procedure
Authenticate as the IdM admin on an IdM server.
[root@server ~]# kinit adminCreate a reference called
my-keycloak-idpto an IdP based on the Keycloak template, where the--base-urloption specifies the URL to the Keycloak server in the formatserver-name.$DOMAIN:$PORT/prefix.[root@server ~]# ipa idp-add my-keycloak-idp \ --provider keycloak --organization main \ --base-url keycloak.idm.example.com:8443/auth \ --client-id id13778 ------------------------------------------------ Added Identity Provider reference "my-keycloak-idp" ------------------------------------------------ Identity Provider reference name: my-keycloak-idp Authorization URI: https://keycloak.idm.example.com:8443/auth/realms/main/protocol/openid-connect/auth Device authorization URI: https://keycloak.idm.example.com:8443/auth/realms/main/protocol/openid-connect/auth/device Token URI: https://keycloak.idm.example.com:8443/auth/realms/main/protocol/openid-connect/token User info URI: https://keycloak.idm.example.com:8443/auth/realms/main/protocol/openid-connect/userinfo Client identifier: ipa_oidc_client Scope: openid email External IdP user identifier attribute: email
Verification
Verify that the output of the
ipa idp-showcommand shows the IdP reference you have created.[root@server ~]# ipa idp-show my-keycloak-idp
50.4. Example references to different external IdPs in IdM
The following table lists examples of the ipa idp-add command for creating references to different IdPs in IdM.
| Identity Provider | Important options | Command example |
|---|---|---|
| Microsoft Identity Platform, Azure AD |
|
|
| |
|
|
| GitHub |
|
|
| Keycloak, Red Hat Single Sign-On |
|
Note
The Quarkus version of Keycloak 17 and later have removed the |
| Okta |
|
|
50.5. Options for the ipa idp-* commands to manage external identity providers in IdM
The following examples show how to configure references to external IdPs based on the different IdP templates. Use the following options to specify your settings:
--provider- the predefined template for one of the known identity providers
--client-id- the OAuth 2.0 client identifier issued by the IdP during application registration. As the application registration procedure is specific to each IdP, refer to their documentation for details. If the external IdP is Red Hat Single Sign-On (SSO), see Creating an OpenID Connect Client.
--base-url- base URL for IdP templates, required by Keycloak and Okta
--organization- Domain or Organization ID from the IdP, required by Microsoft Azure
--secret- (optional) Use this option if you have configured your external IdP to require a secret from confidential OAuth 2.0 clients. If you use this option when creating an IdP reference, you are prompted for the secret interactively. Protect the client secret as a password.
50.6. Managing references to external IdPs
After you create a reference to an external identity provider (IdP), you can find, show, modify, and delete that reference. This example shows you how to manage a reference to an external IdP named keycloak-server1.
Prerequisites
- You can authenticate as the IdM admin account.
- You have created a reference to an external IdP in IdM. See Creating a reference to an external identity provider.
Procedure
Authenticate as the IdM admin on an IdM server.
[root@server ~]# kinit adminManage the IdP reference.
To find an IdP reference whose entry includes the string
keycloak:[root@server ~]# ipa idp-find keycloakTo display an IdP reference named
my-keycloak-idp:[root@server ~]# ipa idp-show my-keycloak-idpTo modify an IdP reference, use the
ipa idp-modcommand. For example, to change the secret for an IdP reference namedmy-keycloak-idp, specify the--secretoption to be prompted for the secret:[root@server ~]# ipa idp-mod my-keycloak-idp --secretTo delete an IdP reference named
my-keycloak-idp:[root@server ~]# ipa idp-del my-keycloak-idp
50.7. Enabling an IdM user to authenticate via an external IdP
To enable an IdM user to authenticate via an external identity provider (IdP), associate the external IdP reference you have previously created with the user account. This example associates the external IdP reference keycloak-server1 with the user idm-user-with-external-idp.
Prerequisites
- You have created a reference to an external IdP in IdM. See Creating a reference to an external identity provider.
Procedure
Modify the IdM user entry to associate an IdP reference with the user account:
[root@server ~]# ipa user-mod idm-user-with-external-idp \ --idp my-keycloak-idp \ --idp-user-id idm-user-with-external-idp@idm.example.com \ --user-auth-type=idp --------------------------------- Modified user "idm-user-with-external-idp" --------------------------------- User login: idm-user-with-external-idp First name: Test Last name: User1 Home directory: /home/idm-user-with-external-idp Login shell: /bin/sh Principal name: idm-user-with-external-idp@idm.example.com Principal alias: idm-user-with-external-idp@idm.example.com Email address: idm-user-with-external-idp@idm.example.com UID: 35000003 GID: 35000003 User authentication types: idp External IdP configuration: keycloak External IdP user identifier: idm-user-with-external-idp@idm.example.com Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False
Verification
Verify that the output of the
ipa user-showcommand for that user displays references to the IdP:[root@server ~]# ipa user-show idm-user-with-external-idp User login: idm-user-with-external-idp First name: Test Last name: User1 Home directory: /home/idm-user-with-external-idp Login shell: /bin/sh Principal name: idm-user-with-external-idp@idm.example.com Principal alias: idm-user-with-external-idp@idm.example.com Email address: idm-user-with-external-idp@idm.example.com ID: 35000003 GID: 35000003 User authentication types: idp External IdP configuration: keycloak External IdP user identifier: idm-user-with-external-idp@idm.example.com Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False
50.8. Retrieving an IdM ticket-granting ticket as an external IdP user
If you have delegated authentication for an Identity Management (IdM) user to an external identity provider (IdP), the IdM user can request a Kerberos ticket-granting ticket (TGT) by authenticating to the external IdP.
Complete this procedure to:
- Retrieve and store an anonymous Kerberos ticket locally.
-
Request the TGT for the idm-user-with-external-idp user by using
kinitwith the-Toption to enable Flexible Authentication via Secure Tunneling (FAST) channel to provide a secure connection between the Kerberos client and Kerberos Distribution Center (KDC).
Prerequisites
- You have created a reference to an external IdP in IdM. See Creating a reference to an external identity provider.
- You have associated an external IdP reference with the user account. See Enabling an IdM user to authenticate via an external IdP.
- The user that you are initially logged in as has write permissions on a directory in the local filesystem.
Procedure
Use Anonymous PKINIT to obtain a Kerberos ticket and store it in a file named
./fast.ccache.$ kinit -n -c ./fast.ccacheOptional: View the retrieved ticket:
$ klist -c fast.ccache Ticket cache: FILE:fast.ccache Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 03/03/2024 13:36:37 03/04/2024 13:14:28 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COMBegin authenticating as the IdM user, using the
-Toption to enable the FAST communication channel.[root@client ~]# kinit -T ./fast.ccache idm-user-with-external-idp Authenticate at https://oauth2.idp.com:8443/auth/realms/master/device?user_code=YHMQ-XKTL and press ENTER.:- In a browser, authenticate as the user at the website provided in the command output.
- At the command line, press the Enter key to finish the authentication process.
Verification
Display your Kerberos ticket information and confirm that the line
config: pa_typeshows152for pre-authentication with an external IdP.[root@client ~]# klist -C Ticket cache: KCM:0:58420 Default principal: idm-user-with-external-idp@IDM.EXAMPLE.COM Valid starting Expires Service principal 05/09/22 07:48:23 05/10/22 07:03:07 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM config: fast_avail(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = yes 08/17/2022 20:22:45 08/18/2022 20:22:43 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM config: pa_type(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = 152The
pa_type = 152indicates external IdP authentication.
50.9. Logging in to an IdM client via SSH as an external IdP user
To log in to an IdM client by using SSH as an external identity provider (IdP) user, begin the login process on the command line. When prompted, authenticate at the website associated with the IdP, and finish the process at the Identity Management (IdM) client.
Prerequisites
- You have created a reference to an external IdP in IdM. See Creating a reference to an external identity provider.
- You have associated an external IdP reference with the user account. See Enabling an IdM user to authenticate via an external IdP.
Procedure
Attempt to log in to the IdM client via SSH.
[user@client ~]$ ssh idm-user-with-external-idp@client.idm.example.com (idm-user-with-external-idp@client.idm.example.com) Authenticate at https://oauth2.idp.com:8443/auth/realms/main/device?user_code=XYFL-ROYR and press ENTER.- In a browser, authenticate as the user at the website provided in the command output.
- At the command line, press the Enter key to finish the authentication process.
Verification
Display your Kerberos ticket information and confirm that the line
config: pa_typeshows152for pre-authentication with an external IdP.[idm-user-with-external-idp@client ~]$ klist -C Ticket cache: KCM:0:58420 Default principal: idm-user-with-external-idp@IDM.EXAMPLE.COM Valid starting Expires Service principal 05/09/22 07:48:23 05/10/22 07:03:07 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM config: fast_avail(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = yes 08/17/2022 20:22:45 08/18/2022 20:22:43 krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM config: pa_type(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = 152
50.10. The --provider option in the ipa idp-* commands
The following identity providers (IdPs) support OAuth 2.0 device authorization grant flow:
- Microsoft Identity Platform, including Azure AD
- GitHub
- Keycloak, including Red Hat Single Sign-On (SSO)
- Okta
When using the ipa idp-add command to create a reference to one of these external IdPs, you can specify the IdP type with the --provider option, which expands into additional options as described below:
--provider=microsoftMicrosoft Azure IdPs allow parametrization based on the Azure tenant ID, which you can specify with the
--organizationoption to theipa idp-addcommand. If you need support for the live.com IdP, specify the option--organization common.Choosing
--provider=microsoftexpands to use the following options. The value of the--organizationoption replaces the string${ipaidporg}in the table.Expand Option Value --auth-uri=URIhttps://login.microsoftonline.com/${ipaidporg}/oauth2/v2.0/authorize--dev-auth-uri=URIhttps://login.microsoftonline.com/${ipaidporg}/oauth2/v2.0/devicecode--token-uri=URIhttps://login.microsoftonline.com/${ipaidporg}/oauth2/v2.0/token--userinfo-uri=URIhttps://graph.microsoft.com/oidc/userinfo--keys-uri=URIhttps://login.microsoftonline.com/common/discovery/v2.0/keys--scope=STRopenid email--idp-user-id=STRemail--provider=googleChoosing
--provider=googleexpands to use the following options:Expand Option Value --auth-uri=URIhttps://accounts.google.com/o/oauth2/auth--dev-auth-uri=URIhttps://oauth2.googleapis.com/device/code--token-uri=URIhttps://oauth2.googleapis.com/token--userinfo-uri=URIhttps://openidconnect.googleapis.com/v1/userinfo--keys-uri=URIhttps://www.googleapis.com/oauth2/v3/certs--scope=STRopenid email--idp-user-id=STRemail--provider=githubChoosing
--provider=githubexpands to use the following options:Expand Option Value --auth-uri=URIhttps://github.com/login/oauth/authorize--dev-auth-uri=URIhttps://github.com/login/device/code--token-uri=URIhttps://github.com/login/oauth/access_token--userinfo-uri=URIhttps://openidconnect.googleapis.com/v1/userinfo--keys-uri=URIhttps://api.github.com/user--scope=STRuser--idp-user-id=STRlogin--provider=keycloakWith Keycloak, you can define multiple realms or organizations. Since it is often a part of a custom deployment, both base URL and realm ID are required, and you can specify them with the
--base-urland--organizationoptions to theipa idp-addcommand:[root@client ~]# ipa idp-add MySSO --provider keycloak \ --org main --base-url keycloak.domain.com:8443/auth \ --client-id <your-client-id>Choosing
--provider=keycloakexpands to use the following options. The value you specify in the--base-urloption replaces the string${ipaidpbaseurl}in the table, and the value you specify for the--organization `option replaces the string `${ipaidporg}.Expand Option Value --auth-uri=URIhttps://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/auth--dev-auth-uri=URIhttps://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/auth/device--token-uri=URIhttps://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/token--userinfo-uri=URIhttps://${ipaidpbaseurl}/realms/${ipaidporg}/protocol/openid-connect/userinfo--scope=STRopenid email--idp-user-id=STRemail--provider=oktaAfter registering a new organization in Okta, a new base URL is associated with it. You can specify this base URL with the
--base-urloption to theipa idp-addcommand:[root@client ~]# ipa idp-add MyOkta --provider okta --base-url dev-12345.okta.com --client-id <your-client-id>Choosing
--provider=oktaexpands to use the following options. The value you specify for the--base-urloption replaces the string${ipaidpbaseurl}in the table.Expand Option Value --auth-uri=URIhttps://${ipaidpbaseurl}/oauth2/v1/authorize--dev-auth-uri=URIhttps://${ipaidpbaseurl}/oauth2/v1/device/authorize--token-uri=URIhttps://${ipaidpbaseurl}/oauth2/v1/token--userinfo-uri=URIhttps://${ipaidpbaseurl}/oauth2/v1/userinfo--scope=STRopenid email--idp-user-id=STRemail
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}