Red Hat SummitChapter 10. Configuring Single Sign-On for the RHEL 10 web console in the IdM domain
You can integrate the RHEL web console with your Identity Management (IdM) domain to set up Single Sign-On (SSO). Grant your IdM users single-login access using their existing Kerberos credentials, which means users authenticate once and do not need to re-enter credentials to access the web console.
10.1. Prerequisites
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
IdM client installed on systems with the RHEL web console.
For details, see IdM client installation.
10.2. IdM and RHEL web console integration
Integrating the RHEL web console with an Identity Management (IdM) domain leverages Kerberos-based authentication to provide Single Sign-On (SSO) capabilities.
You can use SSO authentication to leverage the following advantages:
- IdM domain administrators can use the RHEL 10 web console to manage local machines.
- Users with a Kerberos ticket in the IdM domain do not need to provide additional login credentials to access the web console.
- All hosts known to the IdM domain are accessible via SSH from the local instance of the RHEL web console.
- The web console server automatically switches to a certificate issued by the IdM certificate authority. This certificate is accepted by browsers and eliminates the need for manual certificate configuration.
Configuring SSO for logging into the RHEL web console requires to:
- Add machines to the IdM domain using the RHEL 10 web console.
- If you want to use Kerberos for authentication, you must obtain a Kerberos ticket on your machine.
- Allow administrators on the IdM server to use any command on any host.
10.3. Joining a RHEL system to an IdM domain using the web console
You can join a RHEL system to an IdM domain directly in the RHEL web console. This integrates the system into the centralized identity management environment, enabling IdM users to log in.
Prerequisites
- The IdM domain is running and reachable from the client you want to join.
- You have the IdM domain administrator credentials.
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
Procedure
- Log in to the RHEL 10 web console.
- In the Configuration field of the Overview tab click Join Domain.
- In the Join a Domain dialog box, enter the hostname of the IdM server in the Domain Address field.
- In the Domain administrator name field, enter the username of the IdM administration account.
- In the Domain administrator password, add a password.
- Click .
Verification
- If the RHEL 10 web console does not display an error, the system joined to the IdM domain and you can see the domain name in the System screen.
To verify that the user is a member of the domain, click the Terminal page and type the
idcommand:id
$ idCopy to Clipboard Copied! Toggle word wrap Toggle overflow euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Copy to Clipboard Copied! Toggle word wrap Toggle overflow
10.4. Logging in to the web console using Kerberos authentication
You can log in to the RHEL web console by using Kerberos authentication. If you already have a valid Kerberos ticket from your IdM domain, you can access the console without re-entering your password.
With SSO, you usually do not have any administrative privileges in the web console. This only works if you configure passwordless sudo. The web console does not prompt for a sudo password interactively.
Prerequisites
IdM domain running and reachable in your company environment.
For details, see Joining a RHEL system to an IdM domain using the web console.
You have installed the RHEL 10 web console.
For instructions, see Installing and enabling the web console.
-
If the system does not use a Kerberos ticket managed by the SSSD client, request the ticket with the
kinitutility manually.
Procedure
Log in to the RHEL web console by entering the following URL in your web browser:
https://<dns_name>:9090
https://<dns_name>:9090Copy to Clipboard Copied! Toggle word wrap Toggle overflow
10.5. Enabling the RHEL web console Single Sign-on with GSSAPI on IdM servers
The RHEL web console can use the Generic Security Services Application Program Interface (GSSAPI) authentication. However, the IdM framework already owns an HTTP/<server_hostname>@<realm-name> Kerberos service and its keytab. Therefore, to implement GSSAPI authentication on Identity Management (IdM) servers, create a symlink /etc/cockpit/krb5.keytab to /var/lib/ipa/gssproxy/http.keytab and then generate a certificate-key pair.
Prerequisites
-
You have
rootprivileges.
Procedure
Create a symlink:
ln -s /var/lib/ipa/gssproxy/http.keytab /etc/cockpit/krb5.keytab
# ln -s /var/lib/ipa/gssproxy/http.keytab /etc/cockpit/krb5.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set a certificate file Bash variable:
CERT_FILE=/etc/cockpit/ws-certs.d/50-certmonger.crt
# CERT_FILE=/etc/cockpit/ws-certs.d/50-certmonger.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set a certificate key Bash variable:
KEY_FILE=/etc/cockpit/ws-certs.d/50-certmonger.key
# KEY_FILE=/etc/cockpit/ws-certs.d/50-certmonger.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Generate a certificate-key pair:
ipa-getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn)# ipa-getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn)Copy to Clipboard Copied! Toggle word wrap Toggle overflow
10.6. Enabling sudo access for IdM administrators on IdM hosts
To enable administrative tasks through the RHEL web console, grant IdM system administrators appropriate sudo privileges.
Prerequisites
- You are logged in as an IdM administrator to an IdM host.
-
You have
rootprivileges on the host.
Procedure
Enable
sudoaccess on the host:ipa-advise enable-admins-sudo | sh -ex
# ipa-advise enable-admins-sudo | sh -exCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}