Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Configuring external authentication

By using external authentication you can derive user and user group permissions from user group membership in an external identity provider. When you use external authentication, you do not have to create these users and maintain their group membership manually on Satellite Server. In case the external source does not provide email, it will be requested during the first login through Satellite web UI.

Important user and group account information

All user and group accounts must be local accounts. This is to ensure that there are no authentication conflicts between local accounts on your Satellite Server and accounts in your Active Directory domain.

Your system is not affected by this conflict if your user and group accounts exist in both /etc/passwd and /etc/group files. For example, to check if entries for puppet, apache, foreman and foreman-proxy groups exist in both /etc/passwd and /etc/group files, enter the following commands: 

# cat /etc/passwd | grep 'puppet\|apache\|foreman\|foreman-proxy'
# cat /etc/group | grep 'puppet\|apache\|foreman\|foreman-proxy'
Copy to Clipboard

Scenarios for configuring external authentication

Red Hat Satellite supports the following general scenarios for configuring external authentication:

  • Using Lightweight Directory Access Protocol (LDAP) server as an external identity provider. LDAP is a set of open protocols used to access centrally stored information over a network. With Satellite, you can manage LDAP entirely through the Satellite web UI. For more information, see Section 5.1, “Using LDAP”. Though you can use LDAP to connect to a Red Hat Identity Management or AD server, the setup does not support server discovery, cross-forest trusts, or single sign-on with Kerberos in Satellite’s web UI.
  • Using a Red Hat Identity Management server as an external identity provider. Red Hat Identity Management deals with the management of individual identities, their credentials and privileges used in a networking environment. Configuration using Red Hat Identity Management cannot be completed using only the Satellite web UI and requires some interaction with the CLI. For more information see Section 5.2, “Using Red Hat Identity Management”.
  • Using Active Directory (AD) integrated with Red Hat Identity Management through cross-forest Kerberos trust as an external identity provider. For more information see Section 5.3.3, “Active Directory with cross-forest trust”.
  • Using Red Hat Single Sign-On as an OpenID provider for external authentication to Satellite. For more information, see Section 5.9, “Configuring Satellite with Red Hat Single Sign-On authentication”.
  • Using Red Hat Single Sign-On as an OpenID provider for external authentication to Satellite with TOTP. For more information, see Section 5.10, “Configuring Red Hat Single Sign-On authentication with TOTP”.

As well as providing access to Satellite Server, hosts provisioned with Satellite can also be integrated with Red Hat Identity Management realms. Red Hat Satellite has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider. For more information, see Section 5.8, “External authentication for provisioned hosts”.

Table 5.1. Authentication overview
TypeAuthenticationUser Groups

Red Hat Identity Management

Kerberos or LDAP

Yes

Active Directory

Kerberos or LDAP

Yes

POSIX

LDAP

Yes

5.1. Using LDAP

Satellite supports LDAP authentication using one or multiple LDAP directories. Your LDAP server must comply with the RFC 2307 schema.

If you do not require secure LDAP at this time, proceed to Section 5.1.2, “Configuring Red Hat Satellite to use LDAP”.

Important

Users cannot use both Red Hat Identity Management and LDAP as an authentication method. Once a user authenticates using one method, they cannot use the other method.

To change the authentication method for a user, you have to remove the automatically created user from Satellite.

For more information on using Red Hat Identity Management as an authentication method, see Section 5.2, “Using Red Hat Identity Management”.

5.1.1. Configuring TLS for secure LDAP

If Satellite uses TLS to establish a secure LDAP connection (LDAPS), you must obtain the CA certificates of your LDAP server and add them to the trusted CA list on the base operating system of your Satellite Server.

If your LDAP server uses a certificate chain with intermediate certificate authorities, you must obtain all root and intermediate certificates and add them to the trusted CA list.

Procedure

  1. Obtain the CA certificate from the LDAP Server:

    1. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base64 encoded X.509 format. See How to configure Active Directory authentication with TLS on Satellite for information on creating and exporting a CA certificate from an Active Directory server.

    2. Download the LDAP server certificate to a temporary location on the Satellite Server, such as /tmp/example.crt. You will remove the certificate when finished.

      The filename extensions .cer and .crt are only conventions and can refer to DER binary or PEM ASCII format certificates.

  2. Add the LDAP server certificate to the system truststore:

    1. Import the certificate: 

      # cp /tmp/example.crt /etc/pki/tls/source/anchors
      Copy to Clipboard

    2. Update the certificate authority truststore: 

      # update-ca-trust extract
      Copy to Clipboard
  3. Delete the downloaded LDAP certificate from the temporary location on your Satellite Server.

5.1.2. Configuring Red Hat Satellite to use LDAP

In the Satellite web UI, configure Satellite to use LDAP.

Note that if you need single sign-on functionality with Kerberos on Satellite web UI, you should use Red Hat Identity Management and AD external authentication instead. For more information, see:

Procedure

  1. Set the Network Information System (NIS) service boolean to true to prevent SELinux from stopping outgoing LDAP connections: 

    # setsebool -P nis_enabled on
    Copy to Clipboard
  2. In the Satellite web UI, navigate to Administer > Authentication Sources.
  3. Click Create LDAP Authentication Source.
  4. On the LDAP server tab, enter the LDAP server’s name, host name, port, and server type. The default port is 389, the default server type is POSIX (alternatively you can select FreeIPA or Active Directory depending on the type of authentication server). For TLS encrypted connections, select the LDAPS checkbox to enable encryption. The port should change to 636, which is the default for LDAPS.
  5. On the Account tab, enter the account information and domain name details. See Section 5.1.3, “Description of LDAP settings” for descriptions and examples.
  6. On the Attribute mappings tab, map LDAP attributes to Satellite attributes. You can map login name, first name, last name, email address, and photo attributes. See Section 5.1.4, “Example settings for LDAP connections” for examples.
  7. On the Locations tab, select locations from the left table. Selected locations are assigned to users created from the LDAP authentication source, and available after their first login.
  8. On the Organizations tab, select organizations from the left table. Selected organizations are assigned to users created from the LDAP authentication source, and available after their first login.
  9. Click Submit.

  10. Configure new accounts for LDAP users:

    • If you did not select Automatically Create Accounts In Satellite checkbox, see Creating a User in Administering Red Hat Satellite to create user accounts manually.
    • If you selected the Automatically Create Accounts In Satellite checkbox, LDAP users can now log in to Satellite using their LDAP accounts and passwords. After they log in for the first time, the Satellite administrator has to assign roles to them manually. For more information on assigning user accounts appropriate roles in Satellite, see Assigning Roles to a User in Administering Red Hat Satellite.

5.1.3. Description of LDAP settings

The following table provides a description for each setting in the Account tab.

Table 5.2. Account tab settings
SettingDescription

Account

The user name of the LDAP account that has read access to the LDAP server. User name is not required if the server allows anonymous reading, otherwise use the full path to the user’s object. For example: 

uid=$login,cn=users,cn=accounts,dc=example,dc=com
Copy to Clipboard

The $login variable stores the username entered on the login page as a literal string. The value is accessed when the variable is expanded.

The variable cannot be used with external user groups from an LDAP source because Satellite needs to retrieve the group list without the user logging in. Use either an anonymous, or dedicated service user.

Account password

The LDAP password for the user defined in the Account username field. This field can remain blank if the Account username is using the $login variable.

Base DN

The top level domain name of the LDAP directory.

Groups base DN

The top level domain name of the LDAP directory tree that contains groups.

LDAP filter

A filter to restrict LDAP queries.

Automatically Create Accounts In Satellite

If this checkbox is selected, Satellite creates user accounts for LDAP users when they log in to Satellite for the first time. After they log in for the first time, the Satellite administrator has to assign roles to them manually. See Assigning Roles to a User in Administering Red Hat Satellite to assign user accounts appropriate roles in Satellite.

Usergroup Sync

If this option is selected, the user group membership of a user is automatically synchronized when the user logs in, which ensures the membership is always up to date. If this option is cleared, Satellite relies on a cron job to regularly synchronize group membership (every 30 minutes by default). For more information, see Section 5.4, “Configuring external user groups”.

5.1.4. Example settings for LDAP connections

The following table shows example settings for different types of LDAP connections. The example below uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries. Note that LDAP attribute names are case sensitive.

Table 5.3. Example settings for Active Directory, Free IPA or Red Hat Identity Management and POSIX LDAP connections
SettingActive DirectoryFreeIPA or Red Hat Identity ManagementPOSIX (OpenLDAP)

Account

DOMAIN\redhat

uid=redhat,cn=users, cn=accounts,dc=example, dc=com

uid=redhat,ou=users, dc=example,dc=com

Account password

P@ssword

-

-

Base DN

DC=example,DC=COM

dc=example,dc=com

dc=example,dc=com

Groups Base DN

CN=Users,DC=example,DC=com

cn=groups,cn=accounts, dc=example,dc=com

cn=employee,ou=userclass, dc=example,dc=com

Login name attribute

userPrincipalName

uid

uid

First name attribute

givenName

givenName

givenName

Last name attribute

sn

sn

sn

Email address attribute

mail

mail

mail

Photo attribute

thumbnailPhoto

-

-

Note

userPrincipalName allows the use of whitespace in usernames. The login name attribute sAMAccountName (which is not listed in the table above) provides backwards compatibility with legacy Microsoft systems. sAMAccountName does not allow the use of whitespace in usernames.

5.1.5. Example LDAP filters

As an administrator, you can create LDAP filters to restrict the access of specific users to Satellite.

Table 5.4. Example filters for allowing specific users to login
UserFilter

User1

(distinguishedName=cn=User1,cn=Users,dc=domain,dc=example)

User1, User3

(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)

User2, User3

(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)

User1, User2, User3

(|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))

User1, User2, User3

(memberOf:1.2.840.113556.1.4.1941:=cn=Users,dc=domain,dc=example)

Note

Group Users is a nested group that contains groups Group1 and Group2. If you want to filter all users from a nested group, you must add memberOf:1.2.840.113556.1.4.1941:= before the nested group name. See the last example in the table above.

LDAP directory structure

The LDAP directory structure that the filters in the example use: 

DC=Domain,DC=Example
   |
   |----- CN=Users
         |
         |----- CN=Group1
         |----- CN=Group2
         |----- CN=User1
         |----- CN=User2
         |----- CN=User3
Copy to Clipboard

LDAP group membership

The group membership that the filters in the example use:

GroupMembers

Group1

User1, User3

Group2

User2, User3

5.2. Using Red Hat Identity Management

This section shows how to integrate Satellite Server with a Red Hat Identity Management server and how to enable host-based access control.

Note

You can attach Red Hat Identity Management as an external authentication source with no single sign-on support. For more information, see Section 5.1, “Using LDAP”.

Important

Users cannot use both Red Hat Identity Management and LDAP as an authentication method. Once a user authenticates using one method, they cannot use the other method.

To change the authentication method for a user, you have to remove the automatically created user from Satellite.

Prerequisites

  • The base operating system of Satellite Server must be enrolled in the Red Hat Identity Management domain by the Red Hat Identity Management administrator of your organization.

The examples in this chapter assume separation between Red Hat Identity Management and Satellite configuration. However, if you have administrator privileges for both servers, you can configure Red Hat Identity Management as described in Red Hat Enterprise Linux 8 Installing Identity Management Guide.

5.2.1. Configuring Red Hat Identity Management authentication on Satellite Server

In the Satellite CLI, configure Red Hat Identity Management authentication by first creating a host entry on the Red Hat Identity Management server.

Procedure

  1. On the Red Hat Identity Management server, to authenticate, enter the following command and enter your password when prompted: 

    # kinit admin
    Copy to Clipboard

  2. To verify that you have authenticated, enter the following command: 

    # klist
    Copy to Clipboard

  3. On the Red Hat Identity Management server, create a host entry for Satellite Server and generate a one-time password, for example: 

    # ipa host-add --random hostname
    Copy to Clipboard
    Note

    The generated one-time password must be used on the client to complete Red Hat Identity Management-enrollment.

    For more information on host configuration properties, see Host entry in IdM LDAP in Configuring and managing Identity Management.

  4. Create an HTTP service for Satellite Server, for example: 

    # ipa service-add HTTP/hostname
    Copy to Clipboard

    For more information on managing services, see Red Hat Enterprise Linux 8 Accessing Identity Management Services guide.

  5. On Satellite Server, install the IPA client:

    Warning

    This command might restart Satellite services during the installation of the package. For more information about installing and updating packages on Satellite, see Managing Packages on the Base Operating System of Satellite Server or Capsule Server in Administering Red Hat Satellite. 

    # satellite-maintain packages install ipa-client
    Copy to Clipboard

  6. On Satellite Server, enter the following command as root to configure Red Hat Identity Management-enrollment: 

    # ipa-client-install --password OTP
    Copy to Clipboard

    Replace OTP with the one-time password provided by the Red Hat Identity Management administrator.

  7. Set Red Hat Identity Management as the authentication provider, using one of the following commands:

    • If you only want to enable access to the Satellite web UI but not the Satellite API, enter: 

      # satellite-installer \
--foreman-ipa-authentication=true
      Copy to Clipboard

    • If you want to enable access both to the Satellite web UI and the Satellite API, enter: 

      # satellite-installer \
--foreman-ipa-authentication-api=true \
--foreman-ipa-authentication=true
      Copy to Clipboard
      Warning

      Enabling access to both the Satellite API and the Satellite web UI can lead to security problems. After an IdM user receives a Kerberos ticket-granting ticket (TGT) by entering kinit user_name, an attacker can obtain an API session. The attack is possible even if the user did not previously enter the Satellite login credentials anywhere, for example in the browser.

  8. Restart Satellite services: 

    # satellite-maintain service restart
    Copy to Clipboard

External users can now log in to Satellite using their Red Hat Identity Management credentials. They can now choose to either log in to Satellite Server directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported.

5.2.2. Configuring host-based authentication control

HBAC rules define which machine within the domain a Red Hat Identity Management user is allowed to access. You can configure HBAC on the Red Hat Identity Management server to prevent selected users from accessing Satellite Server. With this approach, you can prevent Satellite from creating database entries for users that are not allowed to log in. For more information on HBAC, see Managing IdM Users, Groups, Hosts, and Access Control Rules Guide.

On the Red Hat Identity Management server, configure Host-Based Authentication Control (HBAC).

Procedure

  1. On the Red Hat Identity Management server, to authenticate, enter the following command and enter your password when prompted: 

    # kinit admin
    Copy to Clipboard

  2. To verify that you have authenticated, enter the following command: 

    # klist
    Copy to Clipboard

  3. Create HBAC service and rule on the Red Hat Identity Management server and link them together. The following examples use the PAM service name satellite-prod. Execute the following commands on the Red Hat Identity Management server: 

    # ipa hbacsvc-add satellite-prod
# ipa hbacrule-add allow_satellite_prod
# ipa hbacrule-add-service allow_satellite_prod --hbacsvcs=satellite-prod
    Copy to Clipboard

  4. Add the user who is to have access to the service satellite-prod, and the hostname of Satellite Server: 

    # ipa hbacrule-add-user allow_satellite_prod --user=username
# ipa hbacrule-add-host allow_satellite_prod --hosts=satellite.example.com
    Copy to Clipboard

    Alternatively, host groups and user groups can be added to the allow_satellite_prod rule.

  5. To check the status of the rule, execute: 

    # ipa hbacrule-find satellite-prod
# ipa hbactest --user=username --host=satellite.example.com --service=satellite-prod
    Copy to Clipboard
  6. Ensure the allow_all rule is disabled on the Red Hat Identity Management server. For instructions on how to do so without disrupting other services see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal.

  7. Configure the Red Hat Identity Management integration with Satellite Server as described in Section 5.2.1, “Configuring Red Hat Identity Management authentication on Satellite Server”. On Satellite Server, define the PAM service as root: 

    # satellite-installer --foreman-pam-service=satellite-prod
    Copy to Clipboard

5.3. Using Active Directory

This section shows how to use direct Active Directory (AD) as an external authentication source for Satellite Server.

Note

You can attach Active Directory as an external authentication source with no single sign-on support. For more information, see Section 5.1, “Using LDAP”. For an example configuration, see How to configure Active Directory authentication with TLS on Satellite.

Direct AD integration means that Satellite Server is joined directly to the AD domain where the identity is stored.

5.3.1. Configuring the Active Directory authentication source on Satellite Server

Enable Active Directory (AD) users to access Satellite by configuring the corresponding authentication provider on your Satellite Server.

Prerequisites

  • The base system of your Satellite Server must be joined to an Active Directory (AD) domain. To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain:

    Install the following packages on Satellite Server: 

    # satellite-maintain packages install adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd
    Copy to Clipboard

    Specify the required software when joining the AD domain: 

    # realm join AD.EXAMPLE.COM --membership-software=samba --client-software=sssd
    Copy to Clipboard

    For more information on direct AD integration, see Connecting RHEL systems directly to AD using Samba Winbind.

Procedure

  1. Define AD realm configuration in a location where satellite-installer expects it:

    1. Create a directory named /etc/ipa/: 

      # mkdir /etc/ipa/
      Copy to Clipboard

    2. Create the /etc/ipa/default.conf file with the following contents to configure the Kerberos realm for the AD domain: 

      [global]
realm = AD.EXAMPLE.COM
      Copy to Clipboard

  2. Configure the Apache keytab for Kerberos connections:

    1. Update the /etc/samba/smb.conf file with the following settings to configure how Samba interacts with AD: 

      [global]
workgroup = AD.EXAMPLE
realm = AD.EXAMPLE.COM
kerberos method = system keytab
security = ads
      Copy to Clipboard

    2. Add the Kerberos service principal to the keytab file at /etc/httpd/conf/http.keytab: 

      # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/samba/smb.conf
      Copy to Clipboard

  3. Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the foreman PAM service:

    1. In the [domain/ad.example.com] section of your /etc/sssd/sssd.conf file, configure the ad_gpo_access_control and ad_gpo_map_service options as follows: 

      [domain/ad.example.com]
ad_gpo_access_control = enforcing
ad_gpo_map_service = +foreman
      Copy to Clipboard

      For more information on GPOs, see the following documents:

    2. Restart SSSD: 

      # systemctl restart sssd
      Copy to Clipboard

  4. Enable the authentication source: 

    # satellite-installer --foreman-ipa-authentication=true
    Copy to Clipboard

Verification

  • To verify that AD users can log in to Satellite by entering their credentials, log in to Satellite web UI at https://satellite.example.com. Enter the user name in the user principal name (UPN) format, for example: ad_user@AD.EXAMPLE.COM.

  • To verify that AD users can authenticate by using Kerberos single sign-on:

    • Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user: 

      $ kinit ad_user@AD.EXAMPLE.COM
      Copy to Clipboard

    • Verify user authentication by using your TGT: 

      $ curl -k -u : --negotiate https://satellite.example.com/users/extlogin

<html><body>You are being <a href="satellite.example.com/hosts">redirected</a>.</body></html>
      Copy to Clipboard

Troubleshooting

  • Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs: 

    Authentication failed with status code: {
  "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }
    Copy to Clipboard

    If you see this error, verify which cipher is used for the connection: 

    # openssl s_client -connect ldap.example.com:636
    Copy to Clipboard

    If the TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is used, disable it on either the Satellite Server side or on the AD side. The TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is known to cause incompatibilities.

    For more information, see the Red Hat Knowledgebase solution API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication.

Additional resources

  • sssd-ad(5) man page on your system

5.3.2. Kerberos configuration in web browsers

For information on configuring Firefox, see Configuring Firefox to Use Kerberos for Single Sign-On in the Red Hat Enterprise Linux Configuring authentication and authorization in RHEL guide.

If you use the Internet Explorer browser, add Satellite Server to the list of Local Intranet or Trusted sites, and turn on the Enable Integrated Windows Authentication setting. See the Internet Explorer documentation for details.

5.3.3. Active Directory with cross-forest trust

Kerberos can create cross-forest trust that defines a relationship between two otherwise separate domain forests. A domain forest is a hierarchical structure of domains; both AD and Red Hat Identity Management constitute a forest. With a trust relationship enabled between AD and Red Hat Identity Management, users of AD can access Linux hosts and services using a single set of credentials. For more information on cross-forest trusts, see Planning a cross-forest trust between IdM and AD in Red Hat Enterprise Linux Planning Identity Management.

From the Satellite point of view, the configuration process is the same as integration with Red Hat Identity Management server without cross-forest trust configured. Satellite Server has to be enrolled in the IdM domain and integrated as described in Section 5.2, “Using Red Hat Identity Management”.

5.3.4. Configuring the Red Hat Identity Management server to use cross-forest trust

On the Red Hat Identity Management server, configure the server to use cross-forest trust.

Procedure

  1. Enable HBAC:

    1. Create an external group and add the AD group to it.
    2. Add the new external group to a POSIX group.
    3. Use the POSIX group in a HBAC rule.

  2. Configure sssd to transfer additional attributes of AD users.

    • Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example: 

      [nss]
user_attributes=+mail, +sn, +givenname
[domain/EXAMPLE.com]
...
krb5_store_password_if_offline = True
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[ifp]
allowed_uids = ipaapi, root
user_attributes=+email, +firstname, +lastname
      Copy to Clipboard

    • Verify the AD attributes value. 

      # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ad-user@ad-domain array:string:email,firstname,lastname
      Copy to Clipboard

5.4. Configuring external user groups

Satellite does not associate external users with their user group automatically. You must create a user group with the same name as in the external source on Satellite. Members of the external user group then automatically become members of the Satellite user group and receive the associated permissions.

The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

Prerequisites

  • If you use an LDAP server, configure Satellite to use LDAP authentication. For more information see Section 5.1, “Using LDAP”.

    When using external user groups from an LDAP source, you cannot use the $login variable as a substitute for the account user name. You must use either an anonymous or dedicated service user.

  • If you use a Red Hat Identity Management or AD server, configure Satellite to use Red Hat Identity Management or AD authentication. For more information, see Configuring External Authentication in Installing Satellite Server in a connected network environment.
  • Ensure that at least one external user authenticates for the first time.

  • Retain a copy of the external group names you want to use. To find the group membership of external users, enter the following command: 

    # id username
    Copy to Clipboard

Procedure

  1. In the Satellite web UI, navigate to Administer > User Groups, and click Create User Group.
  2. Specify the name of the new user group. Do not select any users to avoid adding users automatically when you refresh the external user group.
  3. Click the Roles tab and select the roles you want to assign to the user group. Alternatively, select the Administrator checkbox to assign all available permissions.

  4. Click the External groups tab, then click Add external user group, and select an authentication source from the Auth source drop-down menu.

    Specify the exact name of the external group in the Name field.

  5. Click Submit.

5.5. Refreshing external user groups for LDAP

To set the LDAP source to synchronize user group membership automatically on user login, in the Auth Source page, select the Usergroup Sync option. If this option is not selected, LDAP user groups are refreshed automatically through a scheduled cron job synchronizing the LDAP Authentication source every 30 minutes by default.

If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs.

Use this procedure to refresh the LDAP source manually.

Procedure

  1. In the Satellite web UI, navigate to Administer > Usergroups and select a user group.
  2. On the External Groups tab, click Refresh to the right of the required user group.

CLI procedure

  • Enter the following command: 

    # foreman-rake ldap:refresh_usergroups
    Copy to Clipboard

5.6. Refreshing external user groups for Red Hat Identity Management or AD

External user groups based on Red Hat Identity Management or AD are refreshed only when a group member logs in to Satellite. It is not possible to alter user membership of external user groups in the Satellite web UI, such changes are overwritten on the next group refresh.

5.7. Configuring the Hammer CLI to use Red Hat Identity Management user authentication

This section describes how to configure the Satellite Hammer command-line interface (CLI) tool to use Red Hat Identity Management (IdM) to authenticate users.

Prerequisites

  • You are logged in to the host from which you want to access Satellite by using Hammer.

Procedure

  1. Enable sessions in the ~/.hammer/cli.modules.d/foreman.yml Hammer configuration file by adding the :use_sessions: true line to the foreman parameters: 

    :foreman:
  :use_sessions: true
    Copy to Clipboard

    Adding the line enforces session usage in Hammer. This means that Hammer performs the authentication request only once instead of with each hammer command.

  2. Optional: Enable negotiate authentication in the ~/.hammer/cli.modules.d/foreman.yml Hammer configuration file by adding the :default_auth_type: 'Negotiate_Auth' line to the foreman parameters: 

    :foreman:
  :default_auth_type: 'Negotiate_Auth'
  :use_sessions: true
    Copy to Clipboard

    Adding this line means that your authentication is negotiated when you enter the first hammer command. If this entry is present, Hammer tries to communicate with Satellite Server using the negotiation protocol.

5.8. External authentication for provisioned hosts

Use this section to configure Satellite Server or Capsule Server for Red Hat Identity Management realm support, then add hosts to the Red Hat Identity Management realm group.

Prerequisites

  • Satellite Server that is registered to the Content Delivery Network or an external Capsule Server that is registered to Satellite Server.
  • A deployed realm or domain provider such as Red Hat Identity Management.

To install and configure Red Hat Identity Management packages on Satellite Server or Capsule Server:

To use Red Hat Identity Management for provisioned hosts, complete the following steps to install and configure Red Hat Identity Management packages on Satellite Server or Capsule Server:

  1. Install the ipa-client package on Satellite Server or Capsule Server: 

    # satellite-maintain packages install ipa-client
    Copy to Clipboard

  2. Configure the server as a Red Hat Identity Management client: 

    # ipa-client-install
    Copy to Clipboard

  3. Create a realm proxy user, realm-capsule, and the relevant roles in Red Hat Identity Management: 

    # foreman-prepare-realm admin realm-capsule
    Copy to Clipboard

    Note the principal name that returns and your Red Hat Identity Management server configuration details because you require them for the following procedure.

To configure Satellite Server or Capsule Server for Red Hat Identity Management realm support:

Complete the following procedure on Satellite and every Capsule that you want to use:

  1. Copy the /root/freeipa.keytab file to any Capsule Server that you want to include in the same principal and realm: 

    # scp /root/freeipa.keytab root@capsule.example.com:/etc/foreman-proxy/freeipa.keytab
    Copy to Clipboard

  2. On your Satellite Server, move the /root/freeipa.keytab file to the /etc/foreman-proxy directory: 

    # mv /root/freeipa.keytab /etc/foreman-proxy
    Copy to Clipboard

  3. On your Satellite Server and Capsule Servers, set ownership to the foreman-proxy user and group: 

    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
    Copy to Clipboard

  4. Enter the following command on all Capsules that you want to include in the realm. If you use the integrated Capsule on Satellite, enter this command on Satellite Server: 

    # satellite-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-capsule@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
    Copy to Clipboard

    You can also use these options when you first configure the Satellite Server.

  5. Ensure that the most updated versions of the ca-certificates package is installed and trust the Red Hat Identity Management Certificate Authority: 

    # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust enable
# update-ca-trust
    Copy to Clipboard

  6. Optional: If you configure Red Hat Identity Management on an existing Satellite Server or Capsule Server, complete the following steps to ensure that the configuration changes take effect:

    1. Restart the foreman-proxy service: 

      # systemctl restart foreman-proxy
      Copy to Clipboard
    2. In the Satellite web UI, navigate to Infrastructure > Capsules.
    3. Locate the Capsule you have configured for Red Hat Identity Management and from the list in the Actions column, select Refresh.

To create a realm for the Red Hat Identity Management-enabled Capsule

After you configure your integrated or external Capsule with Red Hat Identity Management, you must create a realm and add the Red Hat Identity Management-configured Capsule to the realm.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > Realms and click Create Realm.
  2. In the Name field, enter a name for the realm.
  3. From the Realm Type list, select the type of realm.
  4. From the Realm Capsule list, select Capsule Server where you have configured Red Hat Identity Management.
  5. Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
  6. Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
  7. Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

  1. In the Satellite web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
  2. From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a Red Hat Identity Management host group

Red Hat Identity Management supports the ability to set up automatic membership rules based on a system’s attributes. Red Hat Satellite’s realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the Red Hat Identity Management parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the Red Hat Identity Management server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".

Satellite Server or Capsule Server sends updates to the Red Hat Identity Management server, however automembership rules are only applied at initial registration.

To add hosts to a Red Hat Identity Management host group:

  1. On the Red Hat Identity Management server, create a host group: 

    # ipa hostgroup-add hostgroup_name --desc=hostgroup_description
    Copy to Clipboard

  2. Create an automembership rule: 

    # ipa automember-add --type=hostgroup hostgroup_name automember_rule
    Copy to Clipboard

    Where you can use the following options:

    • automember-add flags the group as an automember group.
    • --type=hostgroup identifies that the target group is a host group, not a user group.
    • automember_rule adds the name you want to identify the automember rule by.

  3. Define an automembership condition based on the userclass attribute: 

    # ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
    Copy to Clipboard

    Where you can use the following options:

    • automember-add-condition adds regular expression conditions to identify group members.
    • --key=userclass specifies the key attribute as userclass.
    • --type=hostgroup identifies that the target group is a host group, not a user group.
    • --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
    • hostgroup_name – identifies the target host group’s name.

When a system is added to Satellite Server’s hostgroup_name host group, it is added automatically to the Red Hat Identity Management server’s "hostgroup_name" host group. Red Hat Identity Management host groups allow for Host-Based Access Controls (HBAC), sudo policies and other Red Hat Identity Management functions.

5.9. Configuring Satellite with Red Hat Single Sign-On authentication

Use this section to configure Satellite to use Red Hat Single Sign-On as an OpenID provider for external authentication.

5.9.1. Prerequisites for configuring Satellite with Red Hat Single Sign-On authentication

Before configuring Satellite with Red Hat Single Sign-On external authentication, ensure that you meet the following requirements:

  • A working installation of Red Hat Single Sign-On server that uses HTTPS instead of HTTP.
  • A Red Hat Single Sign-On account with admin privileges.
  • A realm for Satellite user accounts created in Red Hat Single Sign-On.
  • If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.

  • Users imported or added to Red Hat Single Sign-On.

    If you have an existing user database configured such as LDAP or Kerberos, you can import users from it by configuring user federation. For more information, see User Storage Federation in the Red Hat Single Sign-On Server Administration Guide.

    If you do not have an existing user database configured, you can manually create users in Red Hat Single Sign-On. For more information, see Creating New Users in the Red Hat Single Sign-On Server Administration Guide.

5.9.2. Registering Satellite as a Red Hat Single Sign-On client

Use this procedure to register Satellite to Red Hat Single Sign-On as a client and configure Satellite to use Red Hat Single Sign-On as an authentication source.

You can configure Satellite and Red Hat Single Sign-On with one of these authentication methods:

  1. Users authenticate to Satellite using the Satellite web UI.
  2. Users authenticate to Satellite using the Satellite CLI.
Note

Red Hat Single Sign-On users cannot use both Satellite web UI and Hammer CLI authentication in Satellite at the same time.

You must decide on how you want your users to authenticate in advance because both methods require different Satellite clients to be registered to Red Hat Single Sign-On and configured. The steps to register and configure Satellite client in Red Hat Single Sign-On are distinguished within the procedure.

Procedure

  1. On Satellite Server, install the following packages: 

    # satellite-maintain packages install mod_auth_openidc keycloak-httpd-client-install python3-lxml
    Copy to Clipboard

  2. Register Satellite to Red Hat Single Sign-On as a client. Note that you the registration process for logging in using the web UI and the CLI are different.

    • If you want you users to authenticate to Satellite using the web UI, create a client as follows: 

      # keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "https://RHSSO.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Satellite_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force
      Copy to Clipboard

      Enter the password for the administer account when prompted. This command creates a client for Satellite in Red Hat Single Sign-On.

      Then, configure Satellite to use Red Hat Single Sign-On as an authentication source: 

      # satellite-installer --foreman-keycloak true \
--foreman-keycloak-app-name "foreman-openidc" \
--foreman-keycloak-realm "Satellite_Realm"
      Copy to Clipboard

    • If you want your users to authenticate to Satellite using the CLI, create a client as follows: 

      # keycloak-httpd-client-install --app-name hammer-openidc \
--keycloak-server-url "https://RHSSO.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Satellite_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force
      Copy to Clipboard

      Enter the password for the administer account when prompted. This command creates a client for Satellite in Red Hat Single Sign-On.

  3. Restart the httpd service: 

    # systemctl restart httpd
    Copy to Clipboard

5.9.3. Configuring the Satellite client in Red Hat Single Sign-On

Use this procedure to configure the Satellite client in the Red Hat Single Sign-On web UI and create group and audience mappers for the Satellite client.

Procedure

  1. In the Red Hat Single Sign-On web UI, navigate to Clients and click the Satellite client.

  2. Configure access type:

    • If you want your users to authenticate to Satellite using the Satellite web UI, from the Access Type list, select confidential.
    • If you want your users to authenticate to Satellite using the CLI, from the Access Type list, select public.

  3. In the Valid redirect URI fields, add a valid redirect URI.

    • If you want your users to authenticate to Satellite using the Satellite web UI, in the blank field below the existing URI, enter a URI in the form https://satellite.example.com/users/extlogin. Note that you must add the string /users/extlogin after the Satellite FQDN.

      After completing this step, the Satellite client for logging in using the Satellite web UI must have the following Valid Redirect URIs: 

      https://satellite.example.com/users/extlogin/redirect_uri
https://satellite.example.com/users/extlogin
      Copy to Clipboard

    • If you want your users to authenticate to Satellite using the CLI, in the blank field below the existing URI, enter urn:ietf:wg:oauth:2.0:oob.

      After completing this step, the Satellite client for logging in using the CLI must have the following Valid Redirect URIs: 

      https://satellite.example.com/users/extlogin/redirect_uri
urn:ietf:wg:oauth:2.0:oob
      Copy to Clipboard
  4. Click Save.
  5. Click the Mappers tab and click Create to add an audience mapper.
  6. In the Name field, enter a name for the audience mapper.
  7. From the Mapper Type list, select Audience.
  8. From the Included Client Audience list, select the Satellite client.
  9. Click Save.
  10. Click Create to add a group mapper so that you can specify authorization in Satellite based on group membership.
  11. In the Name field, enter a name for the group mapper.
  12. From the Mapper Type list, select Group Membership.
  13. In the Token Claim Name field, enter groups.
  14. Set the Full group path setting to OFF.
  15. Click Save.

5.9.4. Configuring Satellite settings for Red Hat Single Sign-On authentication

Use this section to configure Satellite for Red Hat Single Sign-On authentication using the Satellite web UI or the CLI.

5.9.4.1. Configuring Satellite settings for Red Hat Single Sign-On authentication using the web UI

Use this procedure to configure Satellite settings for Red Hat Single Sign-On authentication using the Satellite web UI.

Note that you can navigate to the following URL within your realm to obtain values to configure Satellite settings: https://RHSSO.example.com/auth/realms/Satellite_Realm/.well-known/openid-configuration

Prerequisites

  • Ensure that the Access Type setting in the Satellite client in the Red Hat Single Sign-On web UI is set to confidential

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings, and click the Authentication tab.
  2. Locate the Authorize login delegation row, and in the Value column, set the value to Yes.
  3. Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to External.
  4. Locate the Login delegation logout URL row, and in the Value column, set the value to https://satellite.example.com/users/extlogout.
  5. Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Red Hat Single Sign-On to RS256.
  6. Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Red Hat Single Sign-On.
  7. Locate the OIDC Issuer row, and in the Value column, set the value to https://RHSSO.example.com/auth/realms/Satellite_Realm.
  8. Locate the OIDC JWKs URL row, and in the Value column, set the value to https://RHSSO.example.com/auth/realms/Satellite_Realm/protocol/openid-connect/certs.
  9. In the Satellite web UI, navigate to Administer > Authentication Sources, click the vertical ellipsis on the External card, and select Edit.
  10. Click the Locations tab and add locations that can use the Red Hat Single Sign-On authentication source.
  11. Click the Organizations tab and add organizations that can use the Red Hat Single Sign-On authentication source.
  12. Click Submit.

5.9.4.2. Configuring Satellite settings for Red Hat Single Sign-On authentication using the CLI

Use this procedure to configure Satellite settings for Red Hat Single Sign-On authentication using the Satellite CLI.

Note that you can navigate to the following URL within your realm to obtain values to configure Satellite settings: https://RHSSO.example.com/auth/realms/Satellite_Realm/.well-known/openid-configuration

Prerequisites

  • Ensure that the Access Type setting in the Satellite client in the Red Hat Single Sign-On web UI is set to public

Procedure

  1. On Satellite, set the login delegation to true so that users can authenticate using the Open IDC protocol: 

    # hammer settings set --name authorize_login_delegation --value true
    Copy to Clipboard

  2. Set the login delegation logout URL: 

    # hammer settings set --name login_delegation_logout_url \
--value https://satellite.example.com/users/extlogout
    Copy to Clipboard

  3. Set the algorithm for encoding on Red Hat Single Sign-On, for example, RS256: 

    # hammer settings set --name oidc_algorithm --value 'RS256'
    Copy to Clipboard
  4. Open the RHSSO.example.com/auth/realms/RHSSO_REALM/.well-known/openid-configuration URL and note the values to populate the options in the following steps.

  5. Add the value for the Hammer client in the Open IDC audience: 

    # hammer settings set --name oidc_audience \
--value "['satellite.example.com-hammer-openidc']"
    Copy to Clipboard

  6. Set the value for the Open IDC issuer: 

    # hammer settings set --name oidc_issuer \
--value "RHSSO.example.com/auth/realms/RHSSO_Realm"
    Copy to Clipboard

  7. Set the value for Open IDC Java Web Token (JWT): 

    # hammer settings set --name oidc_jwks_url \
--value "RHSSO.example.com/auth/realms/RHSSO_Realm/protocol/openid-connect/certs"
    Copy to Clipboard

  8. Retrieve the ID of the Red Hat Single Sign-On authentication source: 

    # hammer auth-source external list
    Copy to Clipboard

  9. Set the location and organization: 

    # hammer auth-source external update --id Authentication Source ID \
--location-ids Location ID --organization-ids Organization ID
    Copy to Clipboard

5.9.5. Logging in to the Satellite web UI using Red Hat Single Sign-On

Use this procedure to log in to the Satellite web UI using Red Hat Single Sign-On.

Procedure

  • In your browser, log in to Satellite and enter your credentials.

5.9.6. Logging in to the Satellite CLI using Red Hat Single Sign-On

Use this procedure to authenticate to the Satellite CLI using the code grant type.

Procedure

  1. To authenticate to the Satellite CLI using the code grant type, enter the following command: 

    # hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://RHSSO.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://RHSSO.example.com/auth' \
--oidc-client-id 'satellite.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob
    Copy to Clipboard

    The command prompts you to enter a success code.

  2. To retrieve the success code, navigate to the URL that the command returns and provide the required information.
  3. Copy the success code that the web UI returns.
  4. In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Satellite CLI.

5.9.7. Configuring group mapping for Red Hat Single Sign-On authentication

Optionally, to implement the Role Based Access Control (RBAC), create a group in Satellite, assign a role to this group, and then map an Active Directory group to the Satellite group. As a result, anyone in the given group in Red Hat Single Sign-On are logged in under the corresponding Satellite group. This example configures users of the Satellite-admin user group in the Active Directory to authenticate as users with administrator privileges on Satellite.

Procedure

  1. In the Satellite web UI, navigate to Administer > User Groups.
  2. Click Create User Group.
  3. In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.
  4. Do not add users and user groups to the right-hand columns. Click the Roles tab.
  5. Select the Administer checkbox.
  6. Click the External Groups tab.
  7. Click Add external user group.
  8. In the Name field, enter the name of the Active Directory group.
  9. From the list, select EXTERNAL.

5.10. Configuring Red Hat Single Sign-On authentication with TOTP

Use this section to configure Satellite to use Red Hat Single Sign-On as an OpenID provider for external authentication with TOTP cards.

5.10.1. Prerequisites for configuring Satellite with Red Hat Single Sign-On authentication

Before configuring Satellite with Red Hat Single Sign-On external authentication, ensure that you meet the following requirements:

  • A working installation of Red Hat Single Sign-On server that uses HTTPS instead of HTTP.
  • A Red Hat Single Sign-On account with admin privileges.
  • A realm for Satellite user accounts created in Red Hat Single Sign-On.
  • If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.

  • Users imported or added to Red Hat Single Sign-On.

    If you have an existing user database configured such as LDAP or Kerberos, you can import users from it by configuring user federation. For more information, see User Storage Federation in the Red Hat Single Sign-On Server Administration Guide.

    If you do not have an existing user database configured, you can manually create users in Red Hat Single Sign-On. For more information, see Creating New Users in the Red Hat Single Sign-On Server Administration Guide.

5.10.2. Registering Satellite as a Red Hat Single Sign-On client

Use this procedure to register Satellite to Red Hat Single Sign-On as a client and configure Satellite to use Red Hat Single Sign-On as an authentication source.

You can configure Satellite and Red Hat Single Sign-On with one of these authentication methods:

  1. Users authenticate to Satellite using the Satellite web UI.
  2. Users authenticate to Satellite using the Satellite CLI.
Note

Red Hat Single Sign-On users cannot use both Satellite web UI and Hammer CLI authentication in Satellite at the same time.

You must decide on how you want your users to authenticate in advance because both methods require different Satellite clients to be registered to Red Hat Single Sign-On and configured. The steps to register and configure Satellite client in Red Hat Single Sign-On are distinguished within the procedure.

Procedure

  1. On Satellite Server, install the following packages: 

    # satellite-maintain packages install mod_auth_openidc keycloak-httpd-client-install python3-lxml
    Copy to Clipboard

  2. Register Satellite to Red Hat Single Sign-On as a client. Note that you the registration process for logging in using the web UI and the CLI are different.

    • If you want you users to authenticate to Satellite using the web UI, create a client as follows: 

      # keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "https://RHSSO.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Satellite_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force
      Copy to Clipboard

      Enter the password for the administer account when prompted. This command creates a client for Satellite in Red Hat Single Sign-On.

      Then, configure Satellite to use Red Hat Single Sign-On as an authentication source: 

      # satellite-installer --foreman-keycloak true \
--foreman-keycloak-app-name "foreman-openidc" \
--foreman-keycloak-realm "Satellite_Realm"
      Copy to Clipboard

    • If you want your users to authenticate to Satellite using the CLI, create a client as follows: 

      # keycloak-httpd-client-install --app-name hammer-openidc \
--keycloak-server-url "https://RHSSO.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Satellite_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force
      Copy to Clipboard

      Enter the password for the administer account when prompted. This command creates a client for Satellite in Red Hat Single Sign-On.

  3. Restart the httpd service: 

    # systemctl restart httpd
    Copy to Clipboard

5.10.3. Configuring the Satellite client in Red Hat Single Sign-On

Use this procedure to configure the Satellite client in the Red Hat Single Sign-On web UI and create group and audience mappers for the Satellite client.

Procedure

  1. In the Red Hat Single Sign-On web UI, navigate to Clients and click the Satellite client.

  2. Configure access type:

    • If you want your users to authenticate to Satellite using the Satellite web UI, from the Access Type list, select confidential.
    • If you want your users to authenticate to Satellite using the CLI, from the Access Type list, select public.

  3. In the Valid redirect URI fields, add a valid redirect URI.

    • If you want your users to authenticate to Satellite using the Satellite web UI, in the blank field below the existing URI, enter a URI in the form https://satellite.example.com/users/extlogin. Note that you must add the string /users/extlogin after the Satellite FQDN.

      After completing this step, the Satellite client for logging in using the Satellite web UI must have the following Valid Redirect URIs: 

      https://satellite.example.com/users/extlogin/redirect_uri
https://satellite.example.com/users/extlogin
      Copy to Clipboard

    • If you want your users to authenticate to Satellite using the CLI, in the blank field below the existing URI, enter urn:ietf:wg:oauth:2.0:oob.

      After completing this step, the Satellite client for logging in using the CLI must have the following Valid Redirect URIs: 

      https://satellite.example.com/users/extlogin/redirect_uri
urn:ietf:wg:oauth:2.0:oob
      Copy to Clipboard
  4. Click Save.
  5. Click the Mappers tab and click Create to add an audience mapper.
  6. In the Name field, enter a name for the audience mapper.
  7. From the Mapper Type list, select Audience.
  8. From the Included Client Audience list, select the Satellite client.
  9. Click Save.
  10. Click Create to add a group mapper so that you can specify authorization in Satellite based on group membership.
  11. In the Name field, enter a name for the group mapper.
  12. From the Mapper Type list, select Group Membership.
  13. In the Token Claim Name field, enter groups.
  14. Set the Full group path setting to OFF.
  15. Click Save.

5.10.4. Configuring Satellite settings for Red Hat Single Sign-On authentication

Use this section to configure Satellite for Red Hat Single Sign-On authentication using the Satellite web UI or the CLI.

5.10.4.1. Configuring Satellite settings for Red Hat Single Sign-On authentication using the web UI

Use this procedure to configure Satellite settings for Red Hat Single Sign-On authentication using the Satellite web UI.

Note that you can navigate to the following URL within your realm to obtain values to configure Satellite settings: https://RHSSO.example.com/auth/realms/Satellite_Realm/.well-known/openid-configuration

Prerequisites

  • Ensure that the Access Type setting in the Satellite client in the Red Hat Single Sign-On web UI is set to confidential

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings, and click the Authentication tab.
  2. Locate the Authorize login delegation row, and in the Value column, set the value to Yes.
  3. Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to External.
  4. Locate the Login delegation logout URL row, and in the Value column, set the value to https://satellite.example.com/users/extlogout.
  5. Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Red Hat Single Sign-On to RS256.
  6. Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Red Hat Single Sign-On.
  7. Locate the OIDC Issuer row, and in the Value column, set the value to https://RHSSO.example.com/auth/realms/Satellite_Realm.
  8. Locate the OIDC JWKs URL row, and in the Value column, set the value to https://RHSSO.example.com/auth/realms/Satellite_Realm/protocol/openid-connect/certs.
  9. In the Satellite web UI, navigate to Administer > Authentication Sources, click the vertical ellipsis on the External card, and select Edit.
  10. Click the Locations tab and add locations that can use the Red Hat Single Sign-On authentication source.
  11. Click the Organizations tab and add organizations that can use the Red Hat Single Sign-On authentication source.
  12. Click Submit.

5.10.4.2. Configuring Satellite settings for Red Hat Single Sign-On authentication using the CLI

Use this procedure to configure Satellite settings for Red Hat Single Sign-On authentication using the Satellite CLI.

Note that you can navigate to the following URL within your realm to obtain values to configure Satellite settings: https://RHSSO.example.com/auth/realms/Satellite_Realm/.well-known/openid-configuration

Prerequisites

  • Ensure that the Access Type setting in the Satellite client in the Red Hat Single Sign-On web UI is set to public

Procedure

  1. On Satellite, set the login delegation to true so that users can authenticate using the Open IDC protocol: 

    # hammer settings set --name authorize_login_delegation --value true
    Copy to Clipboard

  2. Set the login delegation logout URL: 

    # hammer settings set --name login_delegation_logout_url \
--value https://satellite.example.com/users/extlogout
    Copy to Clipboard

  3. Set the algorithm for encoding on Red Hat Single Sign-On, for example, RS256: 

    # hammer settings set --name oidc_algorithm --value 'RS256'
    Copy to Clipboard
  4. Open the RHSSO.example.com/auth/realms/RHSSO_REALM/.well-known/openid-configuration URL and note the values to populate the options in the following steps.

  5. Add the value for the Hammer client in the Open IDC audience: 

    # hammer settings set --name oidc_audience \
--value "['satellite.example.com-hammer-openidc']"
    Copy to Clipboard

  6. Set the value for the Open IDC issuer: 

    # hammer settings set --name oidc_issuer \
--value "RHSSO.example.com/auth/realms/RHSSO_Realm"
    Copy to Clipboard

  7. Set the value for Open IDC Java Web Token (JWT): 

    # hammer settings set --name oidc_jwks_url \
--value "RHSSO.example.com/auth/realms/RHSSO_Realm/protocol/openid-connect/certs"
    Copy to Clipboard

  8. Retrieve the ID of the Red Hat Single Sign-On authentication source: 

    # hammer auth-source external list
    Copy to Clipboard

  9. Set the location and organization: 

    # hammer auth-source external update --id Authentication Source ID \
--location-ids Location ID --organization-ids Organization ID
    Copy to Clipboard

5.10.5. Configuring Satellite with Red Hat Single Sign-On for TOTP authentication

Use this procedure to configure Satellite to use Red Hat Single Sign-On as an OpenID provider for external authentication with Time-based One-time Password (TOTP).

Procedure

  1. In the Red Hat Single Sign-On web UI, navigate to the Satellite realm.
  2. Navigate to Authentication, and click the OTP Policy tab.
  3. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.
  4. Configure the OTP settings to suit your requirements.
  5. Optional: If you want to use TOTP authentication as a default authentication method for all users, click the Flows tab, and to the right of the OTP Form setting, select REQUIRED.
  6. Click the Required Actions tab.
  7. To the right of the Configure OTP row, select the Default Action checkbox.

5.10.6. Logging in to the Satellite web UI using Red Hat Single Sign-On TOTP authentication

Use this procedure to log in to the Satellite web UI using Red Hat Single Sign-On TOTP authentication.

Procedure

  1. Log in to Satellite, Satellite redirects you to the Red Hat Single Sign-On login screen.
  2. Enter your username and password, and click Log In.
  3. The first attempt to log in, Red Hat Single Sign-On requests you to configure your client by scanning the barcode and entering the pin displayed.
  4. After you configure your client and enter a valid PIN, Red Hat Single Sign-On redirects you to Satellite and logs you in.

5.10.7. Logging in to the Satellite CLI using Red Hat Single Sign-On

Use this procedure to authenticate to the Satellite CLI using the code grant type.

Procedure

  1. To authenticate to the Satellite CLI using the code grant type, enter the following command: 

    # hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://RHSSO.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://RHSSO.example.com/auth' \
--oidc-client-id 'satellite.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob
    Copy to Clipboard

    The command prompts you to enter a success code.

  2. To retrieve the success code, navigate to the URL that the command returns and provide the required information.
  3. Copy the success code that the web UI returns.
  4. In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Satellite CLI.

5.10.8. Configuring group mapping for Red Hat Single Sign-On authentication

Optionally, to implement the Role Based Access Control (RBAC), create a group in Satellite, assign a role to this group, and then map an Active Directory group to the Satellite group. As a result, anyone in the given group in Red Hat Single Sign-On are logged in under the corresponding Satellite group. This example configures users of the Satellite-admin user group in the Active Directory to authenticate as users with administrator privileges on Satellite.

Procedure

  1. In the Satellite web UI, navigate to Administer > User Groups.
  2. Click Create User Group.
  3. In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.
  4. Do not add users and user groups to the right-hand columns. Click the Roles tab.
  5. Select the Administer checkbox.
  6. Click the External Groups tab.
  7. Click Add external user group.
  8. In the Name field, enter the name of the Active Directory group.
  9. From the list, select EXTERNAL.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat