Red Hat SummitChapter 11. Configuring Single Sign-On for logging in to the RHEL web console service running on an IdM client and an IdM server
Using Single Sign-on (SSO) authentication provided by Identity Management (IdM) in the RHEL 9 web console has the following advantages:
- Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to access the web console.
- Users with a certificate issued by the IdM certificate authority (CA) do not need to provide login credentials to access the web console. The web console server automatically switches to a certificate issued by the IdM certificate authority and accepted by browsers. Certificate configuration is not necessary.
- IdM domain administrators can use the RHEL 9 web console to manage the systems in the domain. With the proper permissions configured, IdM administrators can use their web console client, that is their browser, to run any command on any IdM host.
This chapter describes:
- How to configure SSO for logging in to the RHEL web console service running on an IdM client.
- How to configure SSO for logging in to the RHEL web console service running on an IdM server.
-
How to configure
sudoaccess to IdM hosts for an IdM system administrator logged in to a web console client.
Prerequisites
The RHEL web console service is installed on a RHEL 9 system.
For details, see Installing the web console.
The IdM client is installed on the system where the RHEL web console service is running.
For details, see IdM client installation.
11.1. Joining a RHEL 9 system to an IdM domain using the web console
You can use the web console to join a Red Hat Enterprise Linux 9 system to the Identity Management (IdM) domain.
Prerequisites
- The IdM domain is running and reachable from the client you want to join.
- You have the IdM domain administrator credentials.
- You have installed the RHEL 9 web console.
- You have enabled the cockpit service.
Your user account is allowed to log in to the web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 9 web console.
For details, see Logging in to the web console.
- In the Configuration field of the Overview tab click Join Domain.
- In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
- In the Domain administrator name field, enter the user name of the IdM administration account.
- In the Domain administrator password, add a password.
- Click .
Verification
- If the RHEL 9 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
To verify that the user is a member of the domain, click the Terminal page and type the
idcommand:id
$ id euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Copy to Clipboard Copied! Toggle word wrap Toggle overflow
11.2. Logging in to the web console using Kerberos authentication
As an Identity Management (IdM) user, you can use Single Sign-On (SSO) authentication to automatically access the RHEL web console in your browser.
With SSO, you usually do not have any administrative privileges in the web console. This only works if you configure passwordless sudo. The web console does not interactively ask for a sudo password.
Prerequisites
The IdM domain is resolvable by DNS. For instance, the SRV records of the Kerberos server are resolvable:
host -t SRV _kerberos._udp.idm.example.com
$ host -t SRV _kerberos._udp.idm.example.com _kerberos._udp.idm.example.com has SRV record 0 100 88 dc.idm.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the system where you are running your browser is a RHEL 9 system and has been joined to the IdM domain, you are using the same DNS as the web console server and no DNS configuration is necessary.
- You have configured the web console server for SSO authentication.
- The host on which the web console service is running is an IdM client.
- You have configured the web console client for SSO authentication.
Procedure
Obtain your Kerberos ticket-granting ticket:
kinit idmuser@IDM.EXAMPLE.COM
$ kinit idmuser@IDM.EXAMPLE.COM Password for idmuser@IDM.EXAMPLE.COM:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Enter the fully qualified name of the host on which the web console service is running into your browser:
https://<dns_name>:9090
https://<dns_name>:9090Copy to Clipboard Copied! Toggle word wrap Toggle overflow At this point, you are successfully connected to the RHEL web console and you can start with configuration. For example, you can join a RHEL 9 system to the IdM domain in the web console.
11.3. Enabling the RHEL web console Single Sign-on with GSSAPI on IdM servers
The RHEL web console can use the Generic Security Services Application Program Interface (GSSAPI) authentication. However, the IdM framework already owns an HTTP/server.idm.example.com@IDM.EXAMPLE.COM Kerberos service and its keytab. Therefore, to implement GSSAPI authentication on Identity Management (IdM) servers, create a symlink /etc/cockpit/krb5.keytab to /var/lib/ipa/gssproxy/http.keytab and then generate a certificate-key pair.
Prerequisites
-
You have
rootprivileges. - You are using RHEL 9.6 or later.
Procedure
Create a symlink:
ln -s /var/lib/ipa/gssproxy/http.keytab /etc/cockpit/krb5.keytab
# ln -s /var/lib/ipa/gssproxy/http.keytab /etc/cockpit/krb5.keytabCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set a certificate file Bash variable:
CERT_FILE=/etc/cockpit/ws-certs.d/50-certmonger.crt
# CERT_FILE=/etc/cockpit/ws-certs.d/50-certmonger.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set a certificate key Bash variable:
KEY_FILE=/etc/cockpit/ws-certs.d/50-certmonger.key
# KEY_FILE=/etc/cockpit/ws-certs.d/50-certmonger.keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Generate a certificate-key pair:
ipa-getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn)# ipa-getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn)Copy to Clipboard Copied! Toggle word wrap Toggle overflow
11.4. Enabling sudo access for IdM administrators on IdM hosts
You can configure Identity Management (IdM) system administrators to have sudo privileges on an IdM host.
Prerequisites
- You are logged in as an IdM administrator to an IdM host.
-
You have
rootprivileges on the host.
Procedure
Enable
sudoaccess on the host:ipa-advise enable-admins-sudo | sh -ex
# ipa-advise enable-admins-sudo | sh -exCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}