Red Hat SummitChapter 3. Identity provider integration system defaults
3.1. SAML defaults
The following table identifies Red Hat identity system defaults and expectations for identity provider integration with SAML.
| Name | Description |
|---|---|
| SSO initiation type | The Red Hat identity system (sso.redhat.com) supports Service Provider-initiated single sign-on. We do not support IdP-initiated single sign-on, and do not plan to add this. |
| SSO binding | Only POST is allowed for new IdPs. |
| Name ID | Red Hat expects an ID that will allow for unspecified identification of authenticating users. However it’s up to the customer to determine what identifier they wish to use. Commonly used IDs are a UUID, an email address, a username, etc. |
| Other required attributes | We do not require any other attributes to be provided for authenticating users. |
| ACS URL | This is provided by the Identity Provider Integration tool after a customer has completed the initial setup for their IdP. We will also provide a link to our SAML metadata URL that the customer can bind with if they so choose (this would allow for them to review the configured IdP in-depth). |
| Assertion Signing | We require that integrating customers sign their assertions. We require that a valid x509 certificate is provided during IdP configuration that can be used to verify the assertion signature. |
| Response/Assertion Encryption | Encryption is not currently enforced, but as long as a valid x509 is provided we will be able to decrypt responses/assertions. |
| Signing AuthN requests | Red Hat signs AuthN requests. We would encourage integrating parties to verify this signature. The key we use to do this will be discoverable in the SAML metadata that we provide (mentioned above, this will be presented after the IdP has been created). |
| Federated Logout | Red Hat does not currently support any federated logout options. Doing so would result in your users being logged out of both Red Hat as well as your company’s SSO if they were to “log out” of a Red Hat service or application. |
3.2. OIDC defaults
The following table identifies Red Hat identity system defaults and expectations for identity provider integration with OIDC.
| Name | Description |
|---|---|
| Federated Logout | Red Hat does not currently support any federated logout options. Doing so would result in your users being logged out of both Red Hat as well as your company’s SSO if they were to “log out” of a Red Hat service or application. |
| Signatures | IdP integration validates signatures and requires that tokens must be signed. |
| PKCE | For enhanced scurity, use Proof Key for Code Exchange (PKCE), which is an extension to the OAuth 2.0 authorization code flow. Red Hat encourages that you use S256 as the PKCE method. |
3.3. Characters not allowed in the OIDC client secret
The following characters are not allowed in the OIDC client secret. Inspect the client secret and create a new one if any disallowed character is in the secret.
\ $ ^ [ ] ' " > <
\ $ ^ [ ] ' " > <
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}