Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

19.5. Installing and Configuring Red Hat Single Sign-On

To use Red Had Single Sign-On as your authorization method, you need to:

  • Install Red Hat SSO.
  • Configure the LDAP group mapper.
  • Configure Apache on the Manager.
  • Configure OVN provider credentials.
Note

If Red Hat SSO is configured, previous LDAP sign ons will not work, as only a single authorization protocol may be used at a time.

19.5.1. Installing Red Hat Single Sign-On
Copy link

You can install Red Hat Single Sign-On by downloading a ZIP file and unpacking it, or by using an RPM file.

Follow the installation instructions at Red Hat SSO Installation

Prepare the following information:

  • Path/location of the Open ID Connect server.
  • The subscription channel for the correct repositories.
  • Valid Red Hat subscription login credentials.

19.5.2. Configuring the LDAP group mapper
Copy link

  1. Add the LDAP groups mapper with the following information:

    • Name: ldapgroups
    • Mapper Type: group-ldap-mapper
    • LDAP Groups DN: ou=groups,dc=example,dc=com
    • Group Object Classes: groupofuniquenames (adapt this class according to your LDAP server setup)
    • Membership LDAP Attribute: uniquemember (adapt this class according to your LDAP server setup)
  2. Click Save.
  3. Click Sync LDAP Groups to KeyCloak.
  4. At the bottom of the User Federation Provider page, click Synchronize all users.
  5. In the Clients tab, under Add Client, add ovirt-engine as the Client ID, and enter the engine url as the Root URL.
  6. Modify the Client Protocol to openid-connect and the Access Type to confidential.
  7. In the Clients tab, under Ovirt-engine > Advanced Settings, increase the Access Token Lifespan.
  8. Add https://rhvm.example.com:443/* as a valid redirect URI.
  9. The client secret is generated, and can be viewed in the Credentials tab.

  10. In the Clients tab under Create Mapper Protocol, create a mapper with the following settings:

    • Name: groups
    • Mapper Type: Group Membership
    • Token Claim Name: groups
    • Full group path: ON
    • Add to ID token: ON
    • Add to access token: ON
    • Add to userinfo: ON
  11. Add the Builtin Protocol Mapper for username.
  12. Create the scopes needed by ovirt-engine, ovirt-app-api and ovirt-app-admin.
  13. Use the scopes created in the previous step to set up optional client scopes for the ovirt-engine client.

19.5.3. Configuring Apache in the Manager
Copy link

  1. Configure Apache in the Manager. 

    # yum install mod_auth_openidc
    Copy to Clipboard Toggle word wrap

  2. Create a new httpd config file ovirt-openidc.conf in /etc/httpd/conf.d with the following content: 

    LoadModule auth_openidc_module modules/mod_auth_openidc.so

OIDCProviderMetadataURL https://SSO.example.com/auth/realms/master/.well-known/openid-configuration
OIDCSSLValidateServer Off

OIDCClientID ovirt-engine
OIDCClientSecret <client_SSO _generated_key>
OIDCRedirectURI https://rhvm.example.com/ovirt-engine/callback
OIDCDefaultURL https://rhvm.example.com/ovirt-engine/login?scope=ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E

# maps the prefered_username claim to the REMOTE_USER environment variable:

OIDCRemoteUserClaim <preferred_username>
OIDCCryptoPassphrase <random1234>

<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
    <If "req('Authorization') !~ /^(Bearer|Basic)/i">

      Require valid-user
      AuthType openid-connect

      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
    </If>
</LocationMatch>

OIDCOAuthIntrospectionEndpoint https://SSO.example.com/auth/realms/master/protocol/openid-connect/token/introspect
OIDCOAuthSSLValidateServer    Off
OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
OIDCOAuthClientID ovirt-engine
OIDCOAuthClientSecret <client_SSO _generated_key>
OIDCOAuthRemoteUserClaim sub

<LocationMatch ^/ovirt-engine/(api$|api/)>
   AuthType oauth20
   Require valid-user
</LocationMatch>
    Copy to Clipboard Toggle word wrap

  3. To save the configuration changes, restart httpd and ovirt-engine: 

    # systemctl restart httpd
# systemctl restart ovirt-engine
    Copy to Clipboard Toggle word wrap

  4. Create the file openidc-authn.properties in /etc/ovirt-engine/extensions.d/ with the following content: 

    ovirt.engine.extension.name = openidc-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = openidchttp
ovirt.engine.aaa.authn.authz.plugin = openidc-authz
ovirt.engine.aaa.authn.mapping.plugin = openidc-http-mapping
config.artifact.name = HEADER
config.artifact.arg = OIDC_CLAIM_preferred_username
    Copy to Clipboard Toggle word wrap

  5. Create the file openidc-http-mapping.properties in /etc/ovirt-engine/extensions.d/ with the following content: 

    ovirt.engine.extension.name = openidc-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = false
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}
    Copy to Clipboard Toggle word wrap

  6. Create the file openidc-authz.properties in /etc/ovirt-engine/extensions.d/ with the following content: 

    ovirt.engine.extension.name = openidc-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.artifact.name.arg = OIDC_CLAIM_preferred_username
config.artifact.groups.arg = OIDC_CLAIM_groups
    Copy to Clipboard Toggle word wrap

  7. Create the file 99-enable-external-auth.conf in /etc/ovirt-engine/engine.conf.d/ with the following content: 

    ENGINE_SSO_ENABLE_EXTERNAL_SSO=true
ENGINE_SSO_EXTERNAL_SSO_LOGOUT_URI="${ENGINE_URI}/callback"
EXTERNAL_OIDC_USER_INFO_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/userinfo
EXTERNAL_OIDC_TOKEN_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/token
EXTERNAL_OIDC_LOGOUT_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/logout
EXTERNAL_OIDC_CLIENT_ID=ovirt-engine
EXTERNAL_OIDC_CLIENT_SECRET="<client_SSO _generated_key>"
EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE_PASSWORD=""
EXTERNAL_OIDC_SSL_VERIFY_CHAIN=false
EXTERNAL_OIDC_SSL_VERIFY_HOST=false
    Copy to Clipboard Toggle word wrap

19.5.4. Configuring OVN
Copy link

If you configured the ovirt-ovn-provider in the Manager, you need to configure the OVN provider credentials.

  1. Create the file 20-setup-ovirt-provider-ovn.conf in /etc/ovirt-provider-ovn/conf.d/ with the following content, where user1 belongs to the LDAP group ovirt-administrator, and openidchttp is the profile configured for aaa-ldap-misc. 

    [OVIRT]
# ovirt-admin-user-name=user1@openidchttp
    Copy to Clipboard Toggle word wrap

  2. Restart the ovirt-provider-ovn: 

    # systemctl restart ovirt-provider-ovn
    Copy to Clipboard Toggle word wrap
  3. Log in to the Administration Portal, navigate to Administration Providers, select ovirt-provider-ovn, and click Edit to update the password for the ovn provider.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat