Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Configuring Identity Provider Integration

As the Organization Administrator, you can set up and configure identity provider integration for your organization. Identity provider integration is a component of the Identity and Access Management services provided by Red Hat Hybrid Cloud Console.

Identity Provider Integration establishes your corporate SSO solution as a valid identity provider for the Red Hat single sign-on system. IdP integration supports Open ID Connect (OIDC) and Security Assertion Markup Language (SAML) authentication.

When you make changes to your identity provider integration, users in your organization will need to re-link their user accounts in the following situations:

  • When an existing IdP is deleted and a new one is configured and enabled.

  • When the identifier for your IdP changes. A common cause of this is if your company changes SSO or IdP vendors.

    • For SAML configurations, this is the nameid attribute.
    • For OIDC configurations, this is the sub claim.
  • When a user leaves and returns to your organization. The user can replace a preexisting link with a new link when they see a login message One-time account linking required.

You can set up and configure your Red Hat account to be recognized as a valid client of a third-party identity provider (IdP). Identity provider integration supports SAML and OIDC.

Prerequisites

Procedure

  1. Log in to Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
  2. From the home page after you log in, click ⚙ (Settings).
  3. Click Authentication Policy.
  4. When the Authentication Policy window appears, click Identity Provider Integration.

  5. Click Set up an identity provider and choose an authentication protocol for your identity provider.

    Tip

    You can navigate directly to Identity Provider Integration.

  6. Select SAML 2.0 or OpenID Connect and continue the configuration.

You must provide certain information about your identity provider when you use Security Assertion Markup Language (SAML) authentication. Gather this information before you begin IdP integration for SAML.

Identity provider integration for SAML requires an x509 certificate. This certificate is a Base64 privacy-enhanced electronic mail (PEM) file that checks for signatures. The identity provider integration provided by Red Hat uses the x509 certificate to verify the assertion signature. Response and assertion encryption is not currently enforced; however, a valid x509 certificate allows decryption of the responses and assertions.

The following information is required to complete IdP integration:

  • SAML metadata. The SAML metadata can be imported from a XML-format file or it can be manually entered. When you import the SAML XML metadata file, the x509 certificate is automatically parsed. File import is recommended.
  • Identity provider Entity ID (EID). The EID attribute is in your SAML metadata configuration.
  • Single sign-on authentication request URL. The authentication request URL sends the SAML authentication requests. The authentication request URL is also known as the "Login URL." Users are redirected from the Red Hat site to your Login URL to authenticate with your company’s single sign-on system.
Note

Microsoft Entra ID adds spn: to the beginning of any non-URL value in the service provider issuer field. This field might also be referred to as a client, application, or a Service Provider Entity ID. Make sure the Entra ID value and the IdP configuration values match.

Note

Okta Single Sign On identifies the service provider issuer field as Audience Description. Look for that value in your Okta admin console and copy it into the service provider issuer field

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator and have started the IdP integration.

  • You have the following information available:

    • Identity provider Engity ID.
    • SSO sign-on authentication request URL.
    • Service provider issuer.
    • x509 certificate, if it is not imported.
    • Service provider metadata URL.
    • Redirect or ACS URL.

Procedure

  1. On the Identity Provider Integration page, click SAML 2.0.

  2. You can upload most of the information from a SAML metadata file in XML format. The following information is parsed from the SAML metadata file:

    • Identity provider Entity ID
    • Single sign-on authentication request URL

  3. Manually enter the service provider issuer information. This information must be provided by you. The service provider issuer is how the Red Hat single sign-on system will be identified in your IdP. It is also known as the "service provider Entity ID."

    Note

    Only alphanumeric characters are allowed in the service provider issuer information. Do not use spaces or non-alphanumeric characters.

  4. The URLs required for identity provider configuration entries are where you review the following information and verify they are provided as required in your organization’s identity provider.

    • Service provider metadata URL
    • Redirect URL / Assertion Consumption Service (ACS) URL

  5. After you verify the information is complete for your identity provider integrationd, click Create SAML identity provider integration. A page appears that shows you the configuration information.

    Note

    If any information is missing or incorrect, update the form and resubmit.

  6. Click Test and enable to complete the identity provider integration. This opens a new window for you to enter your login ID and password.

    Note

    Make sure pop-ups are enabled in your browser.

  7. On a successful test, click the Enable button to enable for your organization. If you choose not to enable, you must retest.

Additional resources

You must provide information about your identity provider when you use OpenID Connect authentication. Gather this information before you begin IdP integration for OIDC. Refer to the system information for your identity provider client (for example, Microsoft Entra ID) for guidance on how to obtain the following:

  • Issuer information for your IdP. A URL for your IdP tokens.
  • Client ID. The IdP Client ID verifies user identities and provides the information to other services.
  • Client Secret. A client secret is a random string known only to the OAuth application and the authorization server.

The following characters are not allowed in the client secret. Inspect the client secret and create a new one if any disallowed character is in the secret. 

\ $ ^ [ ] ' " > <
Copy to Clipboard Toggle word wrap
  • Authorization URL. The endpoint for the API provider authorization server, to retrieve the authorization code.
  • Token URL. The URL for the authentication server of the provider, to exchange an authorization code for an access token.
  • JWKS URL. The URL of JSON Web Key Set for your provider.

The following URL information is required to complete your IdP integration:

  • Service provider OpenID Configuration URL. The OpenID Connect configuration URL contains the configuration details for the sso.redhat.com OIDC setup.
  • Redirect URL. The service provider redirect URL, also known as a redirect URI or reply URL, is the endpoint where users are redirected after successfully authenticating with an identity provider.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator and have started the IdP integration.
  • You have the OIDC configuration information available.

Procedure

  1. On the Identity Provider Integration page, click OpenID Connect.
    The OIDC identity provider configuration form appears.
  2. Using the information you have gathered, fill out the form.

  3. After you verify the information is complete for your identity provider integration, click Create OIDC identity provider integration. A page appears that shows you the configuration information.

    Note

    If any information is missing or wrong, update the form and resubmit.

  4. Click Test and enable to complete the identity provider integration. This opens a new window for you to enter your login ID and password.

    Note

    Make sure pop-ups are enabled in your browser.

  5. On a successful test, click the Enable button to enable for your organization. If you choose not to enable, you must retest.

Additional resources

You can delete or disable the identity provider integration. Before you change your internal SAML certificate or the OIDC secret, disable Red Hat identity provider integration.

Note

When you disable or delete your IdP integration, all users on your account, including your Organization Administrator, must use their Red Hat account credentials to login. After you update and re-enable the identity provider integration, users on your organization account will log in through your identity provider.

Disable the Red Hat identity provider integration before you change or update your internal SAML certificate or OIDC secret. These changes are sometimes referred to as rotations. After the rotation, update the Red Hat IdP integration with the new certificate or secret information and re-enable.

Warning

You must disable the Red Hat IdP integration before changing your internal SAML certificate or OIDC secret. Failure to do so results in all users, including Organization Administrators, being unable to authenticate. If this happens, contact Red Hat Customer Service.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as the Organization Administrator.
  • You have configured and enabled the Red Hat identity provider integration.
  • You can access your internal IdP and rotate the SAML certificate or OIDC secret.

Procedure

  1. Navigate to Settings > Authentication Policy > Identity Provider Integration.
    Your enabled integration is displayed.
  2. Click Disable.
  3. Generate and update the SAML certificate or OIDC secret in your organization’s identity provider.
  4. Update the Red Hat IdP integration SAML certificate or OIDC secret.
  5. When finished, click Test and enable. The testing step is required after any update to your IdP integration.
  6. On a successful test, click Enable to re-enable for your organization.

You can temporarily disable the integration without changing it. For example, your identity provider might have a maintenance window and you want users to log in to Red Hat services using their Red Hat login ID and password.

Note

If you cannot access the Red Hat IdP integration application and need to disable your integration, open a support ticket with Red Hat Customer Service. This might occur if you identity provider has an outage and you cannot log in through your integration.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as the Organization Administrator or as a user with User Access administrator permissions.
  • You have configured an identity provider integration.

Procedure

  1. Navigate to Settings > Authentication Policy > Identity Provider Integration.
    Your enabled integration is displayed.
  2. Click Disable.
    Your IdP integration is now disabled.
  3. When you are ready to re-enable, click Test and enable.
  4. On a successful test, click Enable to re-enable for your organization.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top