Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Configuring Kerberos SSO with Identity Management in Satellite

Identity Management is an open-source identity management solution that provides centralized authentication, authorization, and account management services. With Satellite, you can integrate Satellite Server with your existing Identity Management server to enable Identity Management users to authenticate to Satellite.

With your Identity Management server configured as an external identity provider, users defined in Identity Management can log in to Satellite with their Identity Management credentials. If cross-forest trust is configured between Identity Management and Active Directory, Active Directory users can also log in to Satellite.

Identity Management users can log in using the following methods:

  • Username and password
  • Kerberos single sign-on

When cross-forest trust is configured between Identity Management and Active Directory, Active Directory users can log in to Satellite with their user principal name (UPN) and password.

For information about Identity Management, including its cross-forest trust functionality, see Red Hat Enterprise Linux 8 Planning Identity Management and Red Hat Enterprise Linux 8 Installing Identity Management.

Create a host entry for your Satellite Server system in the Identity Management LDAP and configure the system to be a client in your Identity Management domain.

Prerequisites

  • An existing Identity Management server
  • Identity Management user account with privileges to enroll new Identity Management hosts

Procedure

  1. On the Identity Management server:

    1. Create a host entry for the Satellite Server system.

      For more information, see Red Hat Enterprise Linux 8 Configuring and managing Identity Management or Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

    2. Create an entry for the HTTP service for Satellite Server. This enables access to the keytab file by creating a service principal for your Satellite Server.

      For more information on creating a service entry in Identity Management, see Red Hat Enterprise Linux 8 Managing IdM users, groups, hosts, and access control rules or Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

  2. On your Satellite Server, configure the system as client in the Identity Management domain. This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the ipa-client-install utility.

    For more information, see Red Hat Enterprise Linux 8 Installing Identity Management or Red Hat Enterprise Linux 9 Installing Identity Management.

Verification

  • On your Satellite Server, check that you are able to resolve a user defined on the Identity Management server. For example, to check the admin user that Identity Management creates by default: 

    $ id admin

Example 3.1. Enrolling a Satellite Server system as a Identity Management client from the command line by using a one-time password

On the Identity Management server, a user named admin who has administrative privileges on the Identity Management server prepares a host entry for the Satellite Server system:

  1. Authenticate as the Identity Management admin user: 

    # kinit admin

  2. Optional: Verify that you have authenticated successfully: 

    # klist

  3. Create a host entry from the command line. Specify that you want to use a random password for the enrollment. 

    # ipa host-add --random satellite-server.example.com
--------------------------------------------------
 Added host "satellite-server.example.com"
 --------------------------------------------------
  Host name: satellite-server.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: ipa-server.example.com

  4. Enable access to the keytab file by creating a service principal for your Satellite Server: 

    # ipa service-add HTTP/satellite-server.example.com

On the Satellite Server system, a user with Satellite administrative privileges enrolls the system into the Identity Management domain:

  1. Install the Identity Management client packages: 

    # satellite-maintain packages install ipa-client

  2. Configure the Satellite Server system a client in Identity Management by using the random password produced by ipa host-add in a previous step: 

    # ipa-client-install --password 'W5YpARl=7M.n'

  3. Verify that you are able to resolve the Identity Management admin user from your Satellite Server: 

    $ id admin

Enable Identity Management users to access Satellite by configuring Identity Management as an authentication provider on your Satellite Server.

Prerequisites

  • Satellite Server running on a system that is enrolled in the Identity Management domain.

Procedure

  • To enable access to the Satellite web UI only: 

    # satellite-installer \
--foreman-ipa-authentication=true

  • To enable access to the Satellite web UI and the Satellite API, including Hammer CLI: 

    # satellite-installer \
--foreman-ipa-authentication-api=true \
--foreman-ipa-authentication=true
    Warning

    Enabling access to both the Satellite web UI and the Satellite API poses a security risk. After the Identity Management user enters kinit to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session. The attack is possible even if the user did not previously enter the Satellite login credentials anywhere, for example in the browser.

  • To disable external authentication with Identity Management, reset the options. For example, to disable access to the Satellite API and Hammer CLI: 

    # satellite-installer --reset-foreman-ipa-authentication-api

Verification

  • Log in to Satellite web UI by entering the credentials of a user defined in Identity Management.

You can use host-based access control (HBAC) rules to manage access control within your Identity Management domain. In Identity Management, HBAC rules define which users can access which hosts and which services can be used to gain access.

For example, you can configure HBAC on the Identity Management server to limit access to Satellite Server only to selected users or user groups. By configuring a HBAC rule in the Identity Management domain, you can ensure Satellite does not create database entries for users who should not have access.

Prerequisites

  • Identity Management user account with privileges to configure HBAC rules

Procedure

  1. On the Identity Management server, configure HBAC control. For more information, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules or Red Hat Enterprise Linux 8 Managing IdM users, groups, hosts, and access control rules.

    1. Create a HBAC service for Satellite Server.

    2. Create a new HBAC rule to define the required access control. Add the following Identity Management entities to the HBAC rule:

      1. The HBAC service for Satellite Server
      2. The Satellite Server host
      3. The users or user groups to whom you want to grant access
    3. Make sure the default Identity Management allow_all rule is disabled. For information about how to disable allow_all without disrupting other services, see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal.

  2. On your Satellite Server, load the host-based access control rules from Identity Management: 

    # satellite-installer --foreman-pam-service=foreman-prod

Verification

  • Log in to the Satellite web UI as a user defined in Identity Management.

    • If the user is included in the HBAC rule, Satellite web UI will grant access.
    • If the user is not included in the HBAC rule, Satellite web UI will not grant access.

Example 3.2. Configuring host-based access control to allow access to Satellite only for selected Identity Management users by using the command line

On the Identity Management server, a user with administrative privileges configures a HBAC rule to allow selected users access to Satellite Server:

  1. Authenticate as the user with privileges required to configure HBAC rules: 

    $ kinit admin

  2. Optional: Verify that you have authenticated successfully: 

    $ klist

  3. Create a new HBAC service named satellite-prod: 

    $ ipa hbacsvc-add satellite-prod

  4. Create a new HBAC rule: 

    $ ipa hbacrule-add allow-satellite-prod

  5. Add the following Identity Management entities to the HBAC rule:

    1. The satellite-prod HBAC service: 

      $ ipa hbacrule-add-service allow-satellite-prod --hbacsvcs=satellite-prod

    2. The Satellite Server host: 

      $ ipa hbacrule-add-host allow-satellite-prod --hosts=satellite.example.com

    3. The users or user groups to whom you want to grant access: 

      $ ipa hbacrule-add-user allow-satellite-prod --user=ipa-user

  6. Optional: Verify the status of the rule: 

    $ ipa hbacrule-find satellite-prod
$ ipa hbactest --user=ipa-user --host=satellite.example.com --service=satellite-prod
  7. Disable the default allow_all rule: 
$ ipa hbacrule-disable allow_all

On Satellite Server, a Satellite administrator re-runs satellite-installer to load the host-based access control rules from Identity Management: 

# satellite-installer --foreman-pam-service=satellite-prod

Configure the Satellite Hammer CLI tool to use Identity Management to authenticate users.

Prerequisites

Procedure

  • Open the ~/.hammer/cli.modules.d/foreman.yml file on your Satellite Server and update the list of foreman parameters:

    • To enforce session usage, enable :use_sessions:: 

      :foreman:
  :use_sessions: true

      With this configuration, you will need to initiate an authentication session manually with hammer auth login negotiate.

    • Alternatively, to enforce session usage and also negotiate authentication by default: 

      :foreman:
  :default_auth_type: 'Negotiate_Auth'
  :use_sessions: true

      With this configuration, Hammer will negotiate authentication automatically when you enter the first hammer command.

Authenticate to the Satellite Hammer CLI with your Identity Management username and password.

Prerequisites

Procedure

  1. Authenticate as a user defined in Identity Management to obtain a Kerberos ticket-granting ticket (TGT): 

    $ kinit Identity_Management_user
    Warning

    If you enabled access to the Satellite API and the Satellite web UI when you were configuring Identity Management as the authentication provider for Satellite, an attacker might now obtain an API session after the user receives the Kerberos TGT. The attack is possible even if the user did not previously enter the Satellite login credentials anywhere, for example in the browser.

  2. If Hammer is not configured to negotiate authentication, initiate an authentication session manually: 

    $ hammer auth login negotiate
Note

If you destroy the active Kerberos ticket, for example with kdestroy, you will still be logged in to Hammer. To log out, enter hammer auth logout.

Verification

  • Use any hammer command to check that the system does not ask you to authenticate. For example: 

    $ hammer host list

Additional resources

  • Run hammer auth --help to view all Hammer CLI authentication configuration options.
  • For more information about authenticating with Hammer, see Hammer authentication in Using the Hammer CLI tool.

You can use Mozilla Firefox to log in to the Satellite web UI with your Identity Management credentials.

Use the latest stable Mozilla Firefox browser.

Prerequisites

Procedure

  1. Obtain the Kerberos ticket granting ticket (TGT): 

    $ kinit user
Password for user@EXAMPLE.COM:
  2. In Mozilla Firefox, go to the URL of your Satellite Server.
  3. You are logged in automatically.

Alternatively:

  1. In your browser address bar, enter the URL of your Satellite Server.
  2. Enter your username and password.

You can use Chrome to log in to the Satellite web UI with your Identity Management credentials.

Use the latest stable Chrome browser.

Prerequisites

Procedure

  1. Enable the Chrome browser to use Kerberos authentication: 

    $ google-chrome --auth-server-whitelist="*.example.com" --auth-negotiate-delegate-whitelist="*.example.com"
    Note

    Instead of allowlisting the whole domain, you can also allowlist a specific Satellite Server.

  2. Obtain the Kerberos ticket-granting ticket (TGT): 

    $ kinit user
Password for user@EXAMPLE.COM:
  3. In Chrome, go to the URL of your Satellite Server.
  4. You are logged in automatically.

Alternatively:

  1. In your browser address bar, enter the URL of your Satellite Server.
  2. Enter your username and password.

When your Identity Management deployment includes a cross-forest trust with Active Directory (AD), configure host-based access control (HBAC) and the System Security Services Daemon (SSSD) to enable AD users to log in to Satellite.

Prerequisites

Procedure

On your Identity Management server:

  1. Enable HBAC:

    1. Create an external group and add the AD group to it.
    2. Add the new external group to a POSIX group.
    3. Use the POSIX group in a HBAC rule.

On your Identity Management server and all replicas in your Identity Management topology, configure SSSD to transfer additional attributes of AD users:

  1. Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example: 

    [domain/EXAMPLE.com]
...
krb5_store_password_if_offline = True
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[nss]
user_attributes=+email, +firstname, +lastname

[ifp]
allowed_uids = ipaapi, root
user_attributes=+email, +firstname, +lastname

  2. Clear the SSSD cache:

    1. Stop SSSD: 

      # systemctl stop sssd

    2. Clear the cache: 

      # sss_cache -E

    3. Start SSSD: 

      # systemctl start sssd

  3. Verify the AD attributes value by using the dbus-send command on your Satellite Server and on your Identity Management server. Make sure that both outputs match. 

    # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ad-user@ad-domain array:string:email,firstname,lastname
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top