Chapter 11. Configuring Single Sign-On for logging in to the RHEL web console service running on an IdM client and an IdM server


Using Single Sign-on (SSO) authentication provided by Identity Management (IdM) in the RHEL 9 web console has the following advantages:

  • Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to access the web console.
  • Users with a certificate issued by the IdM certificate authority (CA) do not need to provide login credentials to access the web console. The web console server automatically switches to a certificate issued by the IdM certificate authority and accepted by browsers. Certificate configuration is not necessary.
  • IdM domain administrators can use the RHEL 9 web console to manage the systems in the domain. With the proper permissions configured, IdM administrators can use their web console client, that is their browser, to run any command on any IdM host.

This chapter describes:

  • How to configure SSO for logging in to the RHEL web console service running on an IdM client.
  • How to configure SSO for logging in to the RHEL web console service running on an IdM server.
  • How to configure sudo access to IdM hosts for an IdM system administrator logged in to a web console client.

Prerequisites

You can use the web console to join a Red Hat Enterprise Linux 9 system to the Identity Management (IdM) domain.

Prerequisites

  • The IdM domain is running and reachable from the client you want to join.
  • You have the IdM domain administrator credentials.
  • You have installed the RHEL 9 web console.
  • You have enabled the cockpit service.
  • Your user account is allowed to log in to the web console.

    For instructions, see Installing and enabling the web console.

Procedure

  1. Log in to the RHEL 9 web console.

    For details, see Logging in to the web console.

  2. In the Configuration field of the Overview tab click Join Domain.
  3. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
  4. In the Domain administrator name field, enter the user name of the IdM administration account.
  5. In the Domain administrator password, add a password.
  6. Click Join.

Verification

  1. If the RHEL 9 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
  2. To verify that the user is a member of the domain, click the Terminal page and type the id command:

    $ id
    euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    Copy to Clipboard Toggle word wrap

As an Identity Management (IdM) user, you can use Single Sign-On (SSO) authentication to automatically access the RHEL web console in your browser.

Important

With SSO, you usually do not have any administrative privileges in the web console. This only works if you configure passwordless sudo. The web console does not interactively ask for a sudo password.

Prerequisites

  • The IdM domain is resolvable by DNS. For instance, the SRV records of the Kerberos server are resolvable:

    $ host -t SRV  _kerberos._udp.idm.example.com
    _kerberos._udp.idm.example.com has SRV record 0 100 88 dc.idm.example.com
    Copy to Clipboard Toggle word wrap

    If the system where you are running your browser is a RHEL 9 system and has been joined to the IdM domain, you are using the same DNS as the web console server and no DNS configuration is necessary.

  • You have configured the web console server for SSO authentication.
  • The host on which the web console service is running is an IdM client.
  • You have configured the web console client for SSO authentication.

Procedure

  1. Obtain your Kerberos ticket-granting ticket:

    $ kinit idmuser@IDM.EXAMPLE.COM
    Password for idmuser@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap
  2. Enter the fully qualified name of the host on which the web console service is running into your browser:

     https://<dns_name>:9090
    Copy to Clipboard Toggle word wrap

    At this point, you are successfully connected to the RHEL web console and you can start with configuration. For example, you can join a RHEL 9 system to the IdM domain in the web console.

The RHEL web console can use the Generic Security Services Application Program Interface (GSSAPI) authentication. However, the IdM framework already owns an HTTP/server.idm.example.com@IDM.EXAMPLE.COM Kerberos service and its keytab. Therefore, to implement GSSAPI authentication on Identity Management (IdM) servers, create a symlink /etc/cockpit/krb5.keytab to /var/lib/ipa/gssproxy/http.keytab and then generate a certificate-key pair.

Prerequisites

  • You have root privileges.
  • You are using RHEL 9.6 or later.

Procedure

  1. Create a symlink:

    # ln -s /var/lib/ipa/gssproxy/http.keytab /etc/cockpit/krb5.keytab
    Copy to Clipboard Toggle word wrap
  2. Set a certificate file Bash variable:

    # CERT_FILE=/etc/cockpit/ws-certs.d/50-certmonger.crt
    Copy to Clipboard Toggle word wrap
  3. Set a certificate key Bash variable:

    # KEY_FILE=/etc/cockpit/ws-certs.d/50-certmonger.key
    Copy to Clipboard Toggle word wrap
  4. Generate a certificate-key pair:

    # ipa-getcert request -f ${CERT_FILE} -k ${KEY_FILE} -D $(hostname --fqdn)
    Copy to Clipboard Toggle word wrap

You can configure Identity Management (IdM) system administrators to have sudo privileges on an IdM host.

Prerequisites

  • You are logged in as an IdM administrator to an IdM host.
  • You have root privileges on the host.

Procedure

  • Enable sudo access on the host:

    # ipa-advise enable-admins-sudo | sh -ex
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat