Chapter 4. Configuring SSO and 2FA with Red Hat Single Sign-On in Satellite

1. Install the packages required for registering a Red Hat Single Sign-On client:

   # satellite-maintain packages install mod_auth_openidc keycloak-httpd-client-install python3-lxml

2. Choose the authentication method you want Red Hat Single Sign-On users to use when authenticating to Satellite:

   • If you want users to authenticate by using the Satellite web UI:

     1. Create a client for Satellite. Use foreman-openidc as the application name.

        # keycloak-httpd-client-install --app-name foreman-openidc \
        --keycloak-server-url "https://rhsso.example.com" \
        --keycloak-admin-username "admin" \
        --keycloak-realm "Satellite_Realm" \
        --keycloak-admin-realm master \
        --keycloak-auth-role root-admin \
        -t openidc -l /users/extlogin --force

     2. Configure Satellite to use Red Hat Single Sign-On as an authentication source for Satellite web UI:

        # satellite-installer --foreman-keycloak true \
        --foreman-keycloak-app-name "foreman-openidc" \
        --foreman-keycloak-realm "Satellite_Realm"

   • If you want users to authenticate by using the Hammer CLI:

     1. Create a client for Satellite. Use hammer-openidc as the application name.

        # keycloak-httpd-client-install --app-name hammer-openidc \
        --keycloak-server-url "https://rhsso.example.com" \
        --keycloak-admin-username "admin" \
        --keycloak-realm "Satellite_Realm" \
        --keycloak-admin-realm master \
        --keycloak-auth-role root-admin \
        -t openidc -l /users/extlogin --force

     2. Configure Satellite to use Red Hat Single Sign-On as an authentication source for Hammer CLI:

        # satellite-installer --foreman-keycloak true \
        --foreman-keycloak-app-name "hammer-openidc" \
        --foreman-keycloak-realm "Satellite_Realm"

3. Restart the httpd service:

   # systemctl restart httpd

1. Go to the realm created for Satellite users. Navigate to Clients and click the Satellite client.

2. Configure access type:

   • If you are configuring a client that will provide Satellite web UI authentication, select confidential from the Access Type list.
   • If you are configuring a client that will provide Hammer CLI authentication, select public from the Access Type list.

3. Configure Valid redirect URI addresses:

   • If you are configuring a client that will provide Satellite web UI authentication:

     • You will see a pre-defined URI: https://satellite.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
     • Add another URI below the pre-defined URI: https://satellite.example.com/users/extlogin

   • If you are configuring a client that will provide Hammer CLI authentication:

     • You will see a pre-defined URI: https://satellite.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
     • Add another URI below the pre-defined URI: urn:ietf:wg:oauth:2.0:oob
4. Click Save.

5. On the Mappers tab, click Create to add an audience mapper.

   1. From the Mapper Type list, select Audience.
   2. From the Included Client Audience list, select the Satellite client.
6. Click Save.

7. On the Mappers tab, click Create to add a group mapper so that you can specify authorization in Satellite based on group membership.

   1. From the Mapper Type list, select Group Membership.
   2. In the Token Claim Name field, enter groups.
   3. Set the Full group path setting to OFF.
8. Click Save.

1. Navigate to Administer > Settings.

2. On the Authentication tab, configure the following settings:

   1. Authorize login delegation: Set to Yes.
   2. Authorize login delegation auth source user autocreate: Set to External.
   3. Login delegation logout URL: Set to https://satellite.example.com/users/extlogout.
   4. OIDC Algorithm: For example, set to RS256.
   5. OIDC Audience: Set to the client ID for Red Hat Single Sign-On.
   6. OIDC Issuer: Set to https://rhsso.example.com/auth/realms/Satellite_Realm.
   7. OIDC JWKs URL: Set to https://rhsso.example.com/auth/realms/Satellite_Realm/protocol/openid-connect/certs.

3. Navigate to Administer > Authentication Sources.

   1. From the External menu, select Edit.
   2. On the Locations tab, add the locations that you want to be able to use the Red Hat Single Sign-On authentication source.
   3. On the Organizations tab, add the organizations that you want to be able to use the Red Hat Single Sign-On authentication source.
   4. Click Submit.

1. Set the login delegation to true so that users can authenticate using the Open IDC protocol:

   # hammer settings set --name authorize_login_delegation --value true

2. Set the login delegation logout URL:

   # hammer settings set --name login_delegation_logout_url \
   --value https://satellite.example.com/users/extlogout

3. Set the algorithm for encoding: For example, to use the RS256 algorithm:

   # hammer settings set --name oidc_algorithm --value 'RS256'

4. Add the value for the Hammer client in the Open IDC audience:

   # hammer settings set --name oidc_audience \
   --value "['satellite.example.com-hammer-openidc']"

5. Set the value for the Open IDC issuer:

   # hammer settings set --name oidc_issuer \
   --value "https://rhsso.example.com/auth/realms/Satellite_Realm"

6. Set the value for Open IDC Java Web Token (JWT):

   # hammer settings set --name oidc_jwks_url \
   --value "https://rhsso.example.com/auth/realms/Satellite_Realm/protocol/openid-connect/certs"

7. Retrieve the ID of the Red Hat Single Sign-On authentication source:

   # hammer auth-source external list

8. Set the location and organization:

   # hammer auth-source external update \
   --id My_Authentication_Source_ID \
   --location-ids My_Location_ID \
   --organization-ids My_Organization_ID

Procedure

1. In the Red Hat Single Sign-On web UI, navigate to the Satellite realm.
2. Navigate to Authentication.
3. On the Policies tab, click the OTP Policy tab. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.
4. Configure the OTP settings to suit your requirements.
5. On Required Actions tab, enable the Set as default action setting for the Configure OTP action.

Procedure

1. In the Satellite web UI, navigate to Administer > User Groups.

2. Click Create User Group.

   1. In the Name field, enter a name for the user group. Enter a name that is different from the Active Directory user group name.
   2. Do not add any users or user groups to the new group in Satellite web UI.
3. On the Roles tab, select Administer.

4. On the External Groups tab, click Add external user group.

   1. In the Name field, enter the name of the Active Directory group.
   2. From the Auth Source drop-down menu, select EXTERNAL.
5. Click Submit.

1. In your browser, log in to Satellite. Satellite redirects you to the Red Hat Single Sign-On login screen.
2. Enter your username and password, and click Log In.
3. On your first login attempt, Red Hat Single Sign-On requests you to configure your client by scanning the bar code and entering your PIN. Once authenticated, your browser redirects you back to Satellite and logs you in.

1. Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:

   :foreman:
     :use_sessions: true

2. Initiate an authentication session with hammer auth login oauth:

   # hammer auth login oauth \
   --oidc-token-endpoint 'https://rhsso.example.com/auth/realms/Satellite_realm/protocol/openid-connect/token' \
   --oidc-authorization-endpoint 'https://rhsso.example.com/auth' \
   --oidc-client-id 'satellite.example.com-hammer-openidc' \
   --oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

1. Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:

   :foreman:
     :use_sessions: true

2. Initiate an authentication session by using --two-factor with hammer auth login oauth:

   # hammer auth login oauth \
   --two-factor \
   --oidc-token-endpoint 'https://rhsso.example.com/auth/realms/Satellite_realm/protocol/openid-connect/token' \
   --oidc-authorization-endpoint 'https://rhsso.example.com/auth' \
   --oidc-client-id 'satellite.example.com-hammer-openidc' \
   --oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

3. You will be prompted to enter a success code. To retrieve the success code, navigate to the URL that the command returns.
4. Enter the success code in CLI.