Chapter 121. Configuring Single Sign-On for the RHEL 8 web console in the IdM domain

download PDF

Learn how to use Single Sign-on (SSO) authentication provided by Identity Management (IdM) in the RHEL 8 web console.


  • IdM domain administrators can use the RHEL 8 web console to manage local machines.
  • Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to access the web console.
  • All hosts known to the IdM domain are accessible via SSH from the local instance of the RHEL 8 web console.
  • Certificate configuration is not necessary. The console’s web server automatically switches to a certificate issued by the IdM certificate authority and accepted by browsers.

This chapter covers the following steps to configure SSO for logging into the RHEL web console:

  1. Add machines to the IdM domain using the RHEL 8 web console.

    For details, see Joining a RHEL 8 system to an IdM domain using the web console.

  2. If you want to use Kerberos for authentication, you need to obtain a Kerberos ticket on your machine.

    For details, see Logging in to the web console using Kerberos authentication.

  3. Allow administrators on the IdM server to run any command on any host.

    For details, see Enabling admin sudo access to domain administrators on the IdM server


121.1. Joining a RHEL 8 system to an IdM domain using the web console

You can use the web console to join the Red Hat Enterprise Linux 8 system to the Identity Management (IdM) domain.


  • The IdM domain is running and reachable from the client you want to join.
  • You have the IdM domain administrator credentials.


  1. Log into the RHEL web console.

    For details, see Logging in to the web console.

  2. In the Configuration field of the Overview tab click Join Domain.
  3. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
  4. In the Domain administrator name field, enter the user name of the IdM administration account.
  5. In the Domain administrator password, add a password.
  6. Click Join.

Verification steps

  1. If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
  2. To verify that the user is a member of the domain, click the Terminal page and type the id command:

    $ id
    euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

121.2. Logging in to the web console using Kerberos authentication

Configure the RHEL 8 system to use Kerberos authentication.


With SSO you usually do not have any administrative privileges in the web console. This only works if you configured passwordless sudo. The web console does not interactively ask for a sudo password.


  • IdM domain running and reachable in your company environment.

    For details, see Joining a RHEL 8 system to an IdM domain using the web console.

  • Enable the cockpit.socket service on remote systems to which you want to connect and manage them with the RHEL web console.

    For details, see Installing the web console.

  • If the system does not use a Kerberos ticket managed by the SSSD client, try to request the ticket with the kinit utility manually.


Log in to the RHEL web console with the following address: https://dns_name:9090.

At this point, you are successfully connected to the RHEL web console and you can start with configuration.

A screenshot of the web console with a menu in a column along the left that has the following buttons: System - Logs - Storage - Networking - Accounts - Services - Applications - Diagnostic Reports - Kernel Dump - SELinux. The "System" option has been chosen and displays details for the system such as Hardware - Machine ID - Operating system - Secure Shell Keys - Hostname - and others. 3 graphs display usage of CPUs over time - use of Memory and Swap over time - and Disk I/O over time.

121.3. Enabling admin sudo access to domain administrators on the IdM server

You can allow domain administrators to use any command on any host in the Identity Management (IdM) domain by using the RHEL web console.

To accomplish this, enable sudo access to the admins user group created automatically during the IdM server installation. All users added to the admins group gain sudo access if you run ipa-advise script on the group.


  • The server runs IdM 4.7.1 or later.


  1. Connect to the IdM server.
  2. Run the ipa-advise script:

    $ ipa-advise enable-admins-sudo | sh -ex

If the console does not display an error, the admins group has sudo permissions on all machines in the IdM domain.

Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.