Red Hat SummitChapter 1. About Identity Provider Integration
The identity provider integration feature allows you to integrate an identity provider of your choice to sign in to Red Hat service and applications using sso.redhat.com for authentication using your company login credentials. The Organization Administrator for your organization can create, update, and delete identity providers associated to their account.
Additional user access services for role-based access control (RBAC) provide user access authorization that allows access to other resources within the Red Hat account. For more information about user access services, see User Access Configuration Guide for Role-Based Access Control.
With identity provider integration, you can configure one indentity provider (IdP) as an authenticator and the second IdP to rely on that authentication to allow users to log in. In other words, you rely on an IdP such as Microsoft Entra ID to authenticate your users. When the user is authenticated by Microsoft Entra ID, Red Hat SSO — also an IdP — accepts the authentication and allows the user to complete the login process and access their Red Hat account. Instead of configuring user credentials many times across many systems, you configure your Red Hat account to accept the Microsoft Entra ID IdP authentication as being valid.
After the IdP services are integrated, users only need to use one set of credentials to access their Red Hat account. These credentials are the username and password of their customer identity provider or SSO.
1.1. Limitations of the Red Hat identity provider integration
When you integrate your identity provider (IdP) or single sign-on (SSO) with the Red Hat single sign-on system, any user who cannot authenticate with your SSO also cannot authenticate to any Red Hat service with a web-based authentication flow. This includes frequently used services such as Red Hat Customer Portal, Red Hat Hybrid Cloud Console, Red Hat Training, and more.
A limited number of Red Hat services do not use web-based authentication; these services are not compatible with federated single sign-on. This means you can revoke a user’s corporate customer IdP credentials, but they can still use their Red Hat account username and password to authenticate to Red Hat services that bypass web-based authentication.
To remove access to all Red Hat services, the Organization Administrator must use the user management tool to deactivate a Red Hat user account. A deactivated account can no longer be used to access any Red Hat service.
Users must be created through currently supported methods to take advantage of company single sign-on integration. Company single sign-on integration does not support auto-registration of users.
Users without accounts in the customer IdP will not be able to authenticate. For example, this can affect vendor relationships where today the vendor user has a Red Hat login within the customer’s Red Hat company account. Once company single sign-on is enabled, if the customer is not willing or able to allow the vendor user to have an account in the customer IdP, the vendor user will no longer be able to log in.
Identity provider integration is supported on the following Red Hat account types:
- A Red Hat Corporate account type. Personal account types are not supported.
- Accounts with an active, non-evaluation subscription.
- Approved Red Hat partner accounts.
