이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 2. Authenticating with Red Hat Single Sign-On (RHSSO)
To authenticate users with Red Hat Single Sign-On (RHSSO):
2.1. Enabling authentication with Red Hat Single-Sign On (RHSSO)
To authenticate users with Red Hat Single Sign-On (RHSSO), enable the OpenID Connect (OIDC) authentication provider in Red Hat Developer Hub.
Prerequisites
- You added a custom Developer Hub application configuration, and have sufficient permissions to modify it.
- You have sufficient permissions in RHSSO to create and manage a realm.
Procedure
To allow Developer Hub to authenticate with RHSSO, complete the steps in RHSSO, to create a realm and a user and register the Developer Hub application:
Use an existing realm, or create a realm, with a distinctive Name such as <my_realm>. Save the value for the next step:
- RHSSO realm base URL, such as: <your_rhsso_URL>/auth/realms/<your_realm>.
To register your Developer Hub in RHSSO, in the created realm, create a Client ID, with:
- Client ID: A distinctive client ID, such as <RHDH>.
-
Valid redirect URIs: Set to the OIDC handler URL:
https://<RHDH_URL>/api/auth/oidc/handler/frame. - Navigate to the Credentials tab and copy the Client secret.
Save the values for the next step:
- Client ID
- Client Secret
- To prepare for the verification steps, in the same realm, get the credential information for an existing user or create a user. Save the user credential information for the verification steps.
To add your RHSSO credentials to your Developer Hub secrets, edit your Developer Hub secrets, such as
secrets-rhdh, and add the following key/value pairs:AUTH_OIDC_CLIENT_ID- Enter the saved Client ID.
AUTH_OIDC_CLIENT_SECRET- Enter the saved Client Secret.
AUTH_OIDC_METADATA_URL- Enter the saved RHSSO realm base URL.
To set up the RHSSO authentication provider in your Developer Hub custom configuration, edit your custom Developer Hub ConfigMap such as
app-config-rhdh, and add the following lines to theapp-config-rhdh.yamlcontent:app-config-rhdh.yamlfragment with mandatory fields to enable authentication with RHSSOauth: environment: production providers: oidc: production: metadataUrl: ${AUTH_OIDC_METADATA_URL} clientId: ${AUTH_OIDC_CLIENT_ID} clientSecret: ${AUTH_OIDC_CLIENT_SECRET} signInPage: oidcenvironment: production-
Mark the environment as
productionto hide the Guest login in the Developer Hub home page. metadataUrl,clientId,clientSecret- To configure the OIDC provider with your secrets.
sigInPage: oidc- To enable the OIDC provider as default sign-in provider.
Optional: Consider adding the following optional fields:
dangerouslyAllowSignInWithoutUserInCatalog: true
To enable authentication without requiring to provision users in the Developer Hub software catalog.
WarningUse this option to explore Developer Hub features, but do not use it in production.
app-config-rhdh.yamlfragment with optional field to allow authenticating users absent from the software catalogauth: environment: production providers: oidc: production: metadataUrl: ${AUTH_OIDC_METADATA_URL} clientId: ${AUTH_OIDC_CLIENT_ID} clientSecret: ${AUTH_OIDC_CLIENT_SECRET} signInPage: oidc dangerouslyAllowSignInWithoutUserInCatalog: true
callbackUrl
RHSSO callback URL.
app-config-rhdh.yaml fragment with optional callbackURL field
auth:
providers:
oidc:
production:
callbackUrl: ${AUTH_OIDC_CALLBACK_URL}
tokenEndpointAuthMethod
Token endpoint authentication method.
app-config-rhdh.yaml fragment with optional tokenEndpointAuthMethod field
auth:
providers:
oidc:
production:
tokenEndpointAuthMethod: ${AUTH_OIDC_TOKEN_ENDPOINT_METHOD}
tokenSignedResponseAlg
Token signed response algorithm.
app-config-rhdh.yaml fragment with optional tokenSignedResponseAlg field
auth:
providers:
oidc:
production:
tokenSignedResponseAlg: ${AUTH_OIDC_SIGNED_RESPONSE_ALG}
scope
RHSSO scope.
app-config-rhdh.yaml fragment with optional scope field
auth:
providers:
oidc:
production:
scope: ${AUTH_OIDC_SCOPE}
signIn.resolvers
Declarative resolvers to override the default resolver: emailLocalPartMatchingUserEntityName. The authentication provider tries each sign-in resolver until it succeeds, and fails if none succeed.
app-config-rhdh.yaml fragment with optional callbackURL field
auth:
providers:
oidc:
production:
signIn:
resolvers:
- resolver: preferredUsernameMatchingUserEntityName
- resolver: emailMatchingUserEntityProfileEmail
- resolver: emailLocalPartMatchingUserEntityName
Verification
- Go to the Developer Hub login page.
- Your Developer Hub sign-in page displays Sign in using OIDC and the Guest user sign-in is disabled.
- Log in with OIDC by using the saved Username and Password values.
2.2. Provisioning users from Red Hat Single-Sign On (RHSSO) to the software catalog
Prerequisites
Procedure
To enable RHSSO member discovery, edit your custom Developer Hub ConfigMap, such as
app-config-rhdh, and add the following lines to theapp-config-rhdh.yamlcontent:app-config.yamlfragment with mandatorykeycloakOrgfieldsdangerouslyAllowSignInWithoutUserInCatalog: false catalog: providers: keycloakOrg: default: baseUrl: ${AUTH_OIDC_METADATA_URL} clientId: ${AUTH_OIDC_CLIENT_ID} clientSecret: ${AUTH_OIDC_CLIENT_SECRET}dangerouslyAllowSignInWithoutUserInCatalog: false- Allow authentication only for users present in the Developer Hub software catalog.
baseUrl- Your RHSSO server URL, defined when enabling authentication with RHSSO.
clientId- Your Developer Hub application client ID in RHSSO, defined when enabling authentication with RHSSO.
clientSecret- Your Developer Hub application client secret in RHSSO, defined when enabling authentication with RHSSO.
Optional: Consider adding the following optional fields:
realmRealm to synchronize. Default value:
master.app-config.yamlfragment with optionalrealmfieldcatalog: providers: keycloakOrg: default: realm: masterloginRealmRealm used to authenticate. Default value:
master.app-config.yamlfragment with optionalloginRealmfieldcatalog: providers: keycloakOrg: default: loginRealm: masteruserQuerySizeUser number to query simultaneously. Default value:
100.app-config.yamlfragment with optionaluserQuerySizefieldcatalog: providers: keycloakOrg: default: userQuerySize: 100groupQuerySizeGroup number to query simultaneously. Default value:
100.app-config.yamlfragment with optionalgroupQuerySizefieldcatalog: providers: keycloakOrg: default: groupQuerySize: 100schedule.frequencyTo specify custom schedule frequency. Supports cron, ISO duration, and "human duration" as used in code.
app-config.yamlfragment with optionalschedule.frequencyfieldcatalog: providers: keycloakOrg: default: schedule: frequency: { hours: 1 }schedule.timeoutTo specify custom timeout. Supports ISO duration and "human duration" as used in code.
app-config.yamlfragment with optionalschedule.timeoutfieldcatalog: providers: keycloakOrg: default: schedule: timeout: { minutes: 50 }schedule.initialDelayTo specify custom initial delay. Supports ISO duration and "human duration" as used in code.
app-config.yamlfragment with optionalschedule.initialDelayfieldcatalog: providers: keycloakOrg: default: schedule: initialDelay: { seconds: 15}
Verification
Check the console logs to verify that the synchronization is completed.
Successful synchronization example:
{"class":"KeycloakOrgEntityProvider","level":"info","message":"Read 3 Keycloak users and 2 Keycloak groups in 1.5 seconds. Committing...","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"} {"class":"KeycloakOrgEntityProvider","level":"info","message":"Committed 3 Keycloak users and 2 Keycloak groups in 0.0 seconds.","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"}- Log in with an RHSSO account.
2.3. Creating a custom transformer to provision users from Red Hat Single-Sign On (RHSSO) to the software catalog
To customize how RHSSO users and groups are mapped to Red Hat Developer Hub entities, you can create a backend module that uses the keycloakTransformerExtensionPoint to provide custom user and group transformers for the Keycloak backend.
Prerequisites
Procedure
-
Create a new backend module with the
yarn newcommand. Add your custom user and group transformers to the
keycloakTransformerExtensionPoint.The following is an example of how the backend module can be defined:
plugins/<module-name>/src/module.tsimport { GroupTransformer, keycloakTransformerExtensionPoint, UserTransformer, } from '@janus-idp/backstage-plugin-keycloak-backend'; const customGroupTransformer: GroupTransformer = async ( entity, // entity output from default parser realm, // Keycloak realm name groups, // Keycloak group representation ) => { /* apply transformations */ return entity; }; const customUserTransformer: UserTransformer = async ( entity, // entity output from default parser user, // Keycloak user representation realm, // Keycloak realm name groups, // Keycloak group representation ) => { /* apply transformations */ return entity; }; export const keycloakBackendModuleTransformer = createBackendModule({ pluginId: 'catalog', moduleId: 'keycloak-transformer', register(reg) { reg.registerInit({ deps: { keycloak: keycloakTransformerExtensionPoint, }, async init({ keycloak }) { keycloak.setUserTransformer(customUserTransformer); keycloak.setGroupTransformer(customGroupTransformer); /* highlight-add-end */ }, }); }, });ImportantThe module’s
pluginIdmust be set tocatalogto match thepluginIdof thekeycloak-backend; otherwise, the module fails to initialize.Install this new backend module into your Developer Hub backend.
backend.add(import(backstage-plugin-catalog-backend-module-keycloak-transformer))
Verification
Developer Hub imports the users and groups each time when started. Check the console logs to verify that the synchronization is completed.
Successful synchronization example:
{"class":"KeycloakOrgEntityProvider","level":"info","message":"Read 3 Keycloak users and 2 Keycloak groups in 1.5 seconds. Committing...","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"} {"class":"KeycloakOrgEntityProvider","level":"info","message":"Committed 3 Keycloak users and 2 Keycloak groups in 0.0 seconds.","plugin":"catalog","service":"backstage","taskId":"KeycloakOrgEntityProvider:default:refresh","taskInstanceId":"bf0467ff-8ac4-4702-911c-380270e44dea","timestamp":"2024-09-25 13:58:04"}- After the first import is complete, navigate to the Catalog page and select User to view the list of users.
- When you select a user, you see the information imported from RHSSO.
- You can select a group, view the list, and access or review the information imported from RHSSO.
- You can log in with an RHSSO account.
