Chapter 3. Configuring Red Hat Single Sign-On
Red Hat Single Sign-On (RH-SSO) supports multi-tenancy, and uses realms to allow for separation between tenants. As a result RH-SSO operations always occur within the context of a realm. You can either create the realm manually, or with the keycloak-httpd-client-install
tool if you have administrative privileges on the RH-SSO server.
Prerequisites
You must have a fully installed RH-SSO server. For more information on installing RH-SSO, see Server installation and configuration guide.
You need definitions for the following variables as they appear below:
<_RH_RHSSO_URL_> | The Red Hat Single Sign-On URL |
<_FED_RHSSO_REALM_> | Identifies the RH-SSO realm in use |
3.1. Configuring the RH-SSO realm
When the Red Hat Single Sign-On (RH-SSO) realm is available, use the RH-SSO web console to configure the realm for user federation against IdM:
Procedure
- From the drop-down list in the uppper left corner, select your RH-SSO realm.
-
From the
Configure
panel, selectUser Federation
. -
From the
Add provider
drop-down list in theUser Federation
panel, selectldap
. Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.
Property Value Console Display Name
Red Hat IDM
Edit Mode
READ_ONLY
Sync Registrations
Off
Vendor
Red Hat Directory Server
Username LDAP attribute
uid
RDN LDAP attribute
uid
UUID LDAP attribute
ipaUniqueID
User Object Classes
inetOrgPerson, organizationalPerson
Connection URL
LDAPS://<_FED_IPA_HOST_>
Users DN
cn=users,cn=accounts,<_FED_IPA_BASE_DN_>
Authentication Type
simple
Bind DN
uid=rhsso,cn=sysaccounts,cn=etc,<_FED_IPA_BASE_DN_>
Bind Credential
<_FED_IPA_RHSSO_SERVICE_PASSWD_>
- Use the Test connection and Test authentication buttons to ensure that user federation is working.
-
Click
Save
to save the new user federation provider. -
Click the
Mappers
tab at the top of the Red Hat IdM user federation page you created. - Create a mapper to retrieve the user group information. A user’s group membership returns the SAM assertion. Use group membership later to provide authorization in OpenStack.
-
Click
Create
in the Mappers page. On the
Add user federation mapper
page, selectgroup-ldap-mapper
from the Mapper Type drop-down list, and name itGroup Mapper
. Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.Property Value LDAP Groups DN
cn=groups,cn=accounts„<_FED_IPA_BASE_DN_>
Group Name LDAP Attribute
cn
Group Object Classes
groupOfNames
Membership LDAP Attribute
member
Membership Attribute Type
DN
Mode
READ_ONLY
User Groups Retrieve Strategy
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
-
Click
Save
.
3.2. Adding user attributes using SAML assertion
Security Assertion Markup Language (SAML) is an open standard that allows the communication of user attributes and authorization credentials between the identity provider (IdP) and a service provider (SP).
You can configure Red Hat Single Sign-On (RH-SSO) to return the attributes that you require in the assertion. When the OpenStack Identity service receives the SAML assertion, it maps those attributes onto OpenStack users. The process of mapping IdP attributes into Identity Service data is called Federated Mapping. For more information, see Section 4.20, “Create the Mapping File and Upload to Keystone”.
Use the following process to add attributes to SAML:
Procedure
- In the RH-SSO administration web console, select <_FED_RHSSO_REALM_> from the drop-down list in the upper left corner.
-
Select
Clients
from theConfigure
panel. -
Select the service provider client that keycloak-httpd-client-install configured. You can identify the client with the SAML
EntityId
. - Select the mappers tab from the horizontal list of tabs.
-
In the Mappers panel, select
Create
orAdd Builtin
to add a protocol mapper to the client.
You can add additional attributes, but you only need the list of groups for which the user is a member. Group membership is how you authorize the user.
3.3. Adding group information to the SAML assertion
Procedure
-
Click the
Create
button in the Mappers Panel. -
In the
Create Protocol Mapper
panel, select Group list from the Mapper tpe drop-down list. -
Enter Group List as a name in the
Name
field. Enter groups as the name of the SAML attribute in the Group attribute
Name
field.NoteThis is the name of the attribute as it appears in the SAML assertion. When the keystone mapper searches for names in the
Remote
section of the mapping declaration, it searches for the SAML attribute name. When you add an attribute in RH-SSO to be passed in the assertion, specify the SAML attribute name. You define the name in the RH-SSO protocol mapper.-
In the SAML Attribute NameFormat parameter, select
Basic
. -
In the Single Group Attribute toggle box, select
On
. -
Click
Save
.
When you run the keycloak-httpd-client-install
tool, the process adds a group mapper.