Chapter 121. Configuring Single Sign-On for the RHEL 8 web console in the IdM domain
You can use Single Sign-on (SSO) authentication provided by Identity Management (IdM) in the RHEL 8 web console to leverage the following advantages:
- IdM domain administrators can use the RHEL 8 web console to manage local machines.
- Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to access the web console.
- All hosts known to the IdM domain are accessible via SSH from the local instance of the RHEL 8 web console.
- Certificate configuration is not necessary. The console’s web server automatically switches to a certificate issued by the IdM certificate authority and accepted by browsers.
Configuring SSO for logging into the RHEL web console requires to:
- Add machines to the IdM domain using the RHEL 8 web console.
- If you want to use Kerberos for authentication, you must obtain a Kerberos ticket on your machine.
- Allow administrators on the IdM server to run any command on any host.
Prerequisites
The RHEL web console installed on RHEL 8 systems.
For details, see Installing the web console.
IdM client installed on systems with the RHEL web console.
For details, see IdM client installation.
121.1. Joining a RHEL 8 system to an IdM domain using the web console
You can use the web console to join the Red Hat Enterprise Linux 8 system to the Identity Management (IdM) domain.
Prerequisites
- The IdM domain is running and reachable from the client you want to join.
- You have the IdM domain administrator credentials.
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 8 web console.
For details, see Logging in to the web console.
- In the Configuration field of the Overview tab click Join Domain.
- In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
- In the Domain administrator name field, enter the user name of the IdM administration account.
- In the Domain administrator password, add a password.
- Click .
Verification
- If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
To verify that the user is a member of the domain, click the Terminal page and type the
idcommand:$ id euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Additional resources
121.2. Logging in to the web console using Kerberos authentication
Configure the RHEL 8 system to use Kerberos authentication.
With SSO, you usually do not have any administrative privileges in the web console. This only works if you configure passwordless sudo. The web console does not interactively ask for a sudo password.
Prerequisites
IdM domain running and reachable in your company environment.
For details, see Joining a RHEL 8 system to an IdM domain using the web console.
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
-
If the system does not use a Kerberos ticket managed by the SSSD client, request the ticket with the
kinitutility manually.
Procedure
Log in to the RHEL web console by entering the following URL in your web browser:
https://<dns_name>:9090
At this point, you are successfully connected to the RHEL web console and you can start with configuration.
