Chapter 1. The company single sign-on feature

Company single sign-on is an integration between the Red Hat single sign-on system and your organization’s identity provider (IdP). This type of integration is commonly known as “3rd party IdP” or “federated IdP.” It enables users in your organization with existing Red Hat logins to sign into Red Hat services and applications that use sso.redhat.com for authentication, such as Customer Portal, Hybrid Cloud Console, and training-lms.redhat.com using their company SSO login credentials - the same credentials they use to access their company’s internal apps and resources. Any Red Hat website, app, or service using sso.redhat.com for authentication is accessible through company single sign-on integration.

Organization Administrators can use this feature for compliance and security reasons because authentication security protocols for Red Hat services can be managed directly by the organization by means of the authentication requirements of its own single sign-on system. Using the company single sign-on feature provides a better authentication user experience for end users. End users themselves can maintain one less set of login credentials.

Currently, company single sign-on integration has the following scope:

When you integrate your identity provider (IdP) or single sign-on (SSO) with the Red Hat single sign-on to create a federated SSO, any user who cannot authenticate your SSO also cannot authenticate to any Red Hat service with a web-based authentication flow. This includes frequently used services such as Red Hat Customer Portal, Red Hat Hybrid Cloud Console, Red Hat Training, and more.

A limited number of Red Hat services do not use web-based authentication; these services are not compatible with federated single sign-on. This means you can revoke a user’s corporate customer IdP credentials, but they can still use their Red Hat account username and password to authenticate to Red Hat services that bypass web-based authentication.

To remove access to all Red Hat services, the Organization Administrator must use the user management tool to deactivate a Red Hat user account. A deactivated account can no longer be used to access any Red Hat service.

Users must be created through currently supported methods to take advantage of company single sign-on integration. Company single sign-on integration does not support auto-registration of users.

Users without accounts in the customer IdP will not be able to authenticate. For example, this can affect vendor relationships where today the vendor user has a Red Hat login within the customer’s Red Hat company account. Once company single sign-on is enabled, if the customer is not willing or able to allow the vendor user to have an account in the customer IdP, the vendor user will no longer be able to log in.