Red Hat SummitChapter 122. Configuring Single Sign-On for the RHEL 8 web console in the IdM domain
Using Single Sign-on (SSO) authentication provided by Identity Management (IdM) in the RHEL 8 web console has the following advantages:
- Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to access the web console.
- Users with a certificate issued by the IdM certificate authority (CA) do not need to provide login credentials to access the web console. The web console server automatically switches to a certificate issued by the IdM certificate authority and accepted by browsers. Certificate configuration is not necessary.
Configuring SSO for logging into the RHEL web console requires to:
- Add machines to the IdM domain using the RHEL 8 web console.
- If you want to use Kerberos for authentication, you must obtain a Kerberos ticket on your machine.
- Allow administrators on the IdM server to run any command on any host.
Prerequisites
The RHEL web console service is installed on a RHEL 8 system.
For details, see Installing the web console.
The IdM client is installed on the system where the RHEL web console service is running.
For details, see IdM client installation.
122.1. Logging in to the web console using Kerberos authentication
As an Identity Management (IdM) user, you can use Single Sign-On (SSO) authentication to automatically access the RHEL web console in your browser.
With SSO, you usually do not have any administrative privileges in the web console. This only works if you configure passwordless sudo. The web console does not interactively ask for a sudo password.
Prerequisites
The IdM domain is resolvable by DNS. For instance, the SRV records of the Kerberos server are resolvable:
$ host -t SRV _kerberos._udp.idm.example.com _kerberos._udp.idm.example.com has SRV record 0 100 88 dc.idm.example.com
If the system where you are running your browser is a RHEL 8 system and has been joined to the IdM domain, you are using the same DNS as the web console server and no DNS configuration is necessary.
- You have configured the web console server for SSO authentication.
- The host on which the web console service is running is an IdM client.
- You have configured the web console client for SSO authentication.
Procedure
Obtain your Kerberos ticket-granting ticket:
$ kinit idmuser@IDM.EXAMPLE.COM Password for idmuser@IDM.EXAMPLE.COM:
Enter the fully qualified name of the host on which the web console service is running into your browser:
https://<dns_name>:9090
At this point, you are successfully connected to the RHEL web console and you can start with configuration. For example, you can join a RHEL 8 system to the IdM domain in the web console.
122.2. Joining a RHEL 8 system to an IdM domain using the web console
You can use the web console to join a Red Hat Enterprise Linux 8 system to the Identity Management (IdM) domain.
Prerequisites
- The IdM domain is running and reachable from the client you want to join.
- You have the IdM domain administrator credentials.
- You have installed the RHEL 8 web console.
- You have enabled the cockpit service.
Your user account is allowed to log in to the web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 8 web console.
For details, see Logging in to the web console.
- In the Configuration field of the Overview tab click Join Domain.
- In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
- In the Domain administrator name field, enter the user name of the IdM administration account.
- In the Domain administrator password, add a password.
- Click .
Verification
- If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
To verify that the user is a member of the domain, click the Terminal page and type the
idcommand:$ id euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Additional resources
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}