Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Configuring Identity Provider Integration
Configure your Red Hat identity provider integration.
Abstract
Preface
Configure identity provider (IdP) integration to specifiy the IdP that will authorize your users. Identity provider integration supports Security Assertion Markup Language (SAML) 2.0 and OpenID Connect (OIDC).
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. About Identity Provider Integration
The identity provider integration feature allows you to integrate an identity provider of your choice to sign in to Red Hat service and applications using sso.redhat.com for authentication using your company login credentials. The Organization Administrator for your organization can create, update, and delete identity providers associated to their account.
Additional user access services for role-based access control (RBAC) provide user access authorization that allows access to other resources within the Red Hat account. For more information about user access services, see User Access Configuration Guide for Role-Based Access Control.
With identity provider integration, you can configure one indentity provider (IdP) as an authenticator and the second IdP to rely on that authentication to allow users to log in. In other words, you rely on an IdP such as Microsoft Entra ID to authenticate your users. When the user is authenticated by Microsoft Entra ID, Red Hat SSO — also an IdP — accepts the authentication and allows the user to complete the login process and access their Red Hat account. Instead of configuring user credentials many times across many systems, you configure your Red Hat account to accept the Microsoft Entra ID IdP authentication as being valid.
After the IdP services are integrated, users only need to use one set of credentials to access their Red Hat account. These credentials are the username and password of their customer identity provider or SSO.
1.1. Limitations of the Red Hat identity provider integration
When you integrate your identity provider (IdP) or single sign-on (SSO) with the Red Hat single sign-on system, any user who cannot authenticate with your SSO also cannot authenticate to any Red Hat service with a web-based authentication flow. This includes frequently used services such as Red Hat Customer Portal, Red Hat Hybrid Cloud Console, Red Hat Training, and more.
A limited number of Red Hat services do not use web-based authentication; these services are not compatible with federated single sign-on. This means you can revoke a user’s corporate customer IdP credentials, but they can still use their Red Hat account username and password to authenticate to Red Hat services that bypass web-based authentication.
To remove access to all Red Hat services, the Organization Administrator must use the user management tool to deactivate a Red Hat user account. A deactivated account can no longer be used to access any Red Hat service.
Users must be created through currently supported methods to take advantage of company single sign-on integration. Company single sign-on integration does not support auto-registration of users.
Users without accounts in the customer IdP will not be able to authenticate. For example, this can affect vendor relationships where today the vendor user has a Red Hat login within the customer’s Red Hat company account. Once company single sign-on is enabled, if the customer is not willing or able to allow the vendor user to have an account in the customer IdP, the vendor user will no longer be able to log in.
Identity provider integration is supported on the following Red Hat account types:
- A Red Hat Corporate account type. Personal account types are not supported.
- Accounts with an active, non-evaluation subscription.
- Approved Red Hat partner accounts.
Chapter 2. Configuring Identity Provider Integration
As the Organization Administrator, you can set up and configure identity provider integration for your organization. Identity provider integration is a component of the Identity and Access Management services provided by Red Hat Hybrid Cloud Console.
Identity Provider Integration establishes your corporate SSO solution as a valid identity provider for the Red Hat single sign-on system. IdP integration supports Open ID Connect (OIDC) and Security Assertion Markup Language (SAML) authentication.
When you make changes to your identity provider integration, users in your organization will need to re-link their user accounts in the following situations:
- When an existing IdP is deleted and a new one is configured and enabled.
When the identifier for your IdP changes. A common cause of this is if your company changes SSO or IdP vendors.
-
For SAML configurations, this is the
nameidattribute. -
For OIDC configurations, this is the
subclaim.
-
For SAML configurations, this is the
- When a user leaves and returns to your organization. The user can replace a preexisting link with a new link when they see a login message One-time account linking required.
2.1. Configuring identity provider (IdP) integration
You can set up and configure your Red Hat account to be recognized as a valid client of a third-party identity provider (IdP). Identity provider integration supports SAML and OIDC.
Prerequisites
- Only a user who has Organization Administrator permissions can configure IdP integration.
Depending on the authorization protocol, SAML or OIDC, you need to gather information that identifies the IdP that you are integrating:
- For SAML configuration, see the requirements in Section 2.2, “Configuring identity provider integration for SAML”.
- For OIDC configuration, see the requirements in Section 2.3, “Configuring identity provider integration for OIDC”.
Procedure
- Log in to Red Hat Hybrid Cloud Console as a user who has Organization Administrator permission.
- From the home page after you log in, click ⚙ (Settings).
- Click Authentication Policy.
- When the Authentication Policy window appears, click Identity Provider Integration.
Click Set up an identity provider and choose an authentication protocol for your identity provider.
TipYou can navigate directly to Identity Provider Integration.
Select SAML 2.0 or OpenID Connect and continue the configuration.
2.2. Configuring identity provider integration for SAML
You must provide certain information about your identity provider when you use Security Assertion Markup Language (SAML) authentication. Gather this information before you begin IdP integration for SAML.
Identity provider integration for SAML requires an x509 certificate. This certificate is a Base64 privacy-enhanced electronic mail (PEM) file that checks for signatures. The identity provider integration provided by Red Hat uses the x509 certificate to verify the assertion signature. Response and assertion encryption is not currently enforced; however, a valid x509 certificate allows decryption of the responses and assertions.
The following information is required to complete IdP integration:
- SAML metadata. The SAML metadata can be imported from a XML-format file or it can be manually entered. When you import the SAML XML metadata file, the x509 certificate is automatically parsed. File import is recommended.
- Identity provider Entity ID (EID). The EID attribute is in your SAML metadata configuration.
- Single sign-on authentication request URL. The authentication request URL sends the SAML authentication requests. The authentication request URL is also known as the "Login URL." Users are redirected from the Red Hat site to your Login URL to authenticate with your company’s single sign-on system.
Microsoft Entra ID adds spn: to the beginning of any non-URL value in the service provider issuer field. This field might also be referred to as a client, application, or a Service Provider Entity ID. Make sure the Entra ID value and the IdP configuration values match.
Okta Single Sign On identifies the service provider issuer field as Audience Description. Look for that value in your Okta admin console and copy it into the service provider issuer field
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator and have started the IdP integration.
You have the following information available:
- Identity provider Engity ID.
- SSO sign-on authentication request URL.
- Service provider issuer.
- x509 certificate, if it is not imported.
- Service provider metadata URL.
- Redirect or ACS URL.
Procedure
- On the Identity Provider Integration page, click SAML 2.0.
You can upload most of the information from a SAML metadata file in XML format. The following information is parsed from the SAML metadata file:
- Identity provider Entity ID
- Single sign-on authentication request URL
Manually enter the service provider issuer information. This information must be provided by you. The service provider issuer is how the Red Hat single sign-on system will be identified in your IdP. It is also known as the "service provider Entity ID."
NoteOnly alphanumeric characters are allowed in the service provider issuer information. Do not use spaces or non-alphanumeric characters.
The URLs required for identity provider configuration entries are where you review the following information and verify they are provided as required in your organization’s identity provider.
-
Service provider metadata URL
- Redirect URL / Assertion Consumption Service (ACS) URL
-
Service provider metadata URL
After you verify the information is complete for your identity provider integrationd, click Create SAML identity provider integration. A page appears that shows you the configuration information.
NoteIf any information is missing or incorrect, update the form and resubmit.
Click Test and enable to complete the identity provider integration. This opens a new window for you to enter your login ID and password.
NoteMake sure pop-ups are enabled in your browser.
- On a successful test, click the Enable button to enable for your organization. If you choose not to enable, you must retest.
Additional resources
2.3. Configuring identity provider integration for OIDC
You must provide information about your identity provider when you use OpenID Connect authentication. Gather this information before you begin IdP integration for OIDC. Refer to the system information for your identity provider client (for example, Microsoft Entra ID) for guidance on how to obtain the following:
- Issuer information for your IdP. A URL for your IdP tokens.
- Client ID. The IdP Client ID verifies user identities and provides the information to other services.
-
Client Secret. A client secret is a random string known only to the OAuth application and the authorization server.
The following characters are not allowed in the client secret. Inspect the client secret and create a new one if any disallowed character is in the secret.
\ $ ^ [ ] ' " > <
\ $ ^ [ ] ' " > <- Authorization URL. The endpoint for the API provider authorization server, to retrieve the authorization code.
- Token URL. The URL for the authentication server of the provider, to exchange an authorization code for an access token.
- JWKS URL. The URL of JSON Web Key Set for your provider.
The following URL information is required to complete your IdP integration:
-
Service provider OpenID Configuration URL. The OpenID Connect configuration URL contains the configuration details for the
sso.redhat.comOIDC setup. - Redirect URL. The service provider redirect URL, also known as a redirect URI or reply URL, is the endpoint where users are redirected after successfully authenticating with an identity provider.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator and have started the IdP integration.
- You have the OIDC configuration information available.
Procedure
-
On the Identity Provider Integration page, click OpenID Connect.
The OIDC identity provider configuration form appears. - Using the information you have gathered, fill out the form.
After you verify the information is complete for your identity provider integration, click Create OIDC identity provider integration. A page appears that shows you the configuration information.
NoteIf any information is missing or wrong, update the form and resubmit.
Click Test and enable to complete the identity provider integration. This opens a new window for you to enter your login ID and password.
NoteMake sure pop-ups are enabled in your browser.
- On a successful test, click the Enable button to enable for your organization. If you choose not to enable, you must retest.
Additional resources
2.4. Deleting, disabling, or updating the identity provider integration
You can delete or disable the identity provider integration. Before you change your internal SAML certificate or the OIDC secret, disable Red Hat identity provider integration.
When you disable or delete your IdP integration, all users on your account, including your Organization Administrator, must use their Red Hat account credentials to login. After you update and re-enable the identity provider integration, users on your organization account will log in through your identity provider.
2.4.1. Changing the SAML certificate or OIDC secret
Disable the Red Hat identity provider integration before you change or update your internal SAML certificate or OIDC secret. These changes are sometimes referred to as rotations. After the rotation, update the Red Hat IdP integration with the new certificate or secret information and re-enable.
You must disable the Red Hat IdP integration before changing your internal SAML certificate or OIDC secret. Failure to do so results in all users, including Organization Administrators, being unable to authenticate. If this happens, contact Red Hat Customer Service.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console as the Organization Administrator.
- You have configured and enabled the Red Hat identity provider integration.
- You can access your internal IdP and rotate the SAML certificate or OIDC secret.
Procedure
-
Navigate to Settings > Authentication Policy > Identity Provider Integration.
Your enabled integration is displayed. - Click Disable.
- Generate and update the SAML certificate or OIDC secret in your organization’s identity provider.
- Update the Red Hat IdP integration SAML certificate or OIDC secret.
- When finished, click Test and enable. The testing step is required after any update to your IdP integration.
- On a successful test, click Enable to re-enable for your organization.
2.4.2. Disabling and re-enabling the identity provider integration
You can temporarily disable the integration without changing it. For example, your identity provider might have a maintenance window and you want users to log in to Red Hat services using their Red Hat login ID and password.
If you cannot access the Red Hat IdP integration application and need to disable your integration, open a support ticket with Red Hat Customer Service. This might occur if you identity provider has an outage and you cannot log in through your integration.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console as the Organization Administrator or as a user with User Access administrator permissions.
- You have configured an identity provider integration.
Procedure
-
Navigate to Settings > Authentication Policy > Identity Provider Integration.
Your enabled integration is displayed. -
Click Disable.
Your IdP integration is now disabled. - When you are ready to re-enable, click Test and enable.
- On a successful test, click Enable to re-enable for your organization.
Chapter 3. Identity provider integration system defaults
3.1. SAML defaults
The following table identifies Red Hat identity system defaults and expectations for identity provider integration with SAML.
| Name | Description |
|---|---|
| SSO initiation type | The Red Hat identity system (sso.redhat.com) supports Service Provider-initiated single sign-on. We do not support IdP-initiated single sign-on, and do not plan to add this. |
| SSO binding | Only POST is allowed for new IdPs. |
| Name ID | Red Hat expects an ID that will allow for unspecified identification of authenticating users. However it’s up to the customer to determine what identifier they wish to use. Commonly used IDs are a UUID, an email address, a username, etc. |
| Other required attributes | We do not require any other attributes to be provided for authenticating users. |
| ACS URL | This is provided by the Identity Provider Integration tool after a customer has completed the initial setup for their IdP. We will also provide a link to our SAML metadata URL that the customer can bind with if they so choose (this would allow for them to review the configured IdP in-depth). |
| Assertion Signing | We require that integrating customers sign their assertions. We require that a valid x509 certificate is provided during IdP configuration that can be used to verify the assertion signature. |
| Response/Assertion Encryption | Encryption is not currently enforced, but as long as a valid x509 is provided we will be able to decrypt responses/assertions. |
| Signing AuthN requests | Red Hat signs AuthN requests. We would encourage integrating parties to verify this signature. The key we use to do this will be discoverable in the SAML metadata that we provide (mentioned above, this will be presented after the IdP has been created). |
| Federated Logout | Red Hat does not currently support any federated logout options. Doing so would result in your users being logged out of both Red Hat as well as your company’s SSO if they were to “log out” of a Red Hat service or application. |
3.2. OIDC defaults
The following table identifies Red Hat identity system defaults and expectations for identity provider integration with OIDC.
| Name | Description |
|---|---|
| Federated Logout | Red Hat does not currently support any federated logout options. Doing so would result in your users being logged out of both Red Hat as well as your company’s SSO if they were to “log out” of a Red Hat service or application. |
| Signatures | IdP integration validates signatures and requires that tokens must be signed. |
| PKCE | For enhanced scurity, use Proof Key for Code Exchange (PKCE), which is an extension to the OAuth 2.0 authorization code flow. Red Hat encourages that you use S256 as the PKCE method. |
3.3. Characters not allowed in the OIDC client secret
The following characters are not allowed in the OIDC client secret. Inspect the client secret and create a new one if any disallowed character is in the secret.
\ $ ^ [ ] ' " > <
\ $ ^ [ ] ' " > <
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}