Chapter 16. Configuring Single Sign-On for the RHEL 8 web console in the IdM domain

The RHEL 8 web console supports Single Sign-on (SSO) authentication provided by Identity Management (IdM).

Advantages:

  • IdM domain administrators can use the RHEL 8 web console to manage local machines.
  • Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to access the web console.
  • All hosts known to the IdM domain are accessible via SSH from the local instance of the RHEL 8 web console.
  • Certificate configuration is not necessary. The console’s web server automatically switches to a certificate issued by the IdM certificate authority and accepted by browsers.

This chapter covers the following steps to configure SSO for logging into the the RHEL web console:

  1. Add machines to the IdM domain using the RHEL 8 web console.

    For details, see Joining the RHEL 8 system to the IdM domain using the web console

  2. If you want to use Kerberos for authentication, you need to obtain a Kerberos ticket on your machine.

    For details, see Logging in to the web console using a Kerberos ticket

  3. Allow administrators on the IdM master server to run any command on any host.

    For details, see Enabling admin sudo access on the IdM server.

Prerequisites

16.1. Joining a RHEL 8 system to an IdM domain using the web console

This procedure uses the web console to join the Red Hat Enterprise Linux 8 system to the Identity Management (IdM) domain.

Prerequisites

  • The IdM domain is running and reachable from the client you want to join.
  • You have the IdM domain administrator credentials.

Procedure

  1. Log into the RHEL web console.

    For details, see Logging in to the web console.

  2. Open the System tab.
  3. Click Join Domain.

    idm cockpit join domain

  4. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
  5. In the Authentication drop down list, select if you want to use a password or a one-time password for authentication.

    idm cockpit join psswd

  6. In the Domain Administrator Name field, enter the user name of the IdM administration account.
  7. In the password field, add the password or one-time password according to what you selected in the Authentication drop down list earlier.
  8. Click Join.

    idm cockpit join

Verification steps

  1. If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
  2. To verify that the user is a member of the domain, click the Terminal page and type the id command:

    $ id
    euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

16.2. Logging in to the web console using Kerberos authentication

The following procedure describes steps on how to set up the RHEL 8 system to use Kerberos authentication.

Important

With SSO you usually do not have any administrative privileges in the web console. This only works if you configured passwordless sudo. The web console does not interactively ask for a sudo password.

Prerequisites

Procedure

Log in to the RHEL web console with the following address: https://dns_name:9090.

At this point, you are successfully connected to the RHEL web console and you can start with configuration.

idm cockpit logging done

16.3. Enabling admin sudo access to domain administrators on the IdM server

The following procedure describes steps on how to allow domain administrators to run any command on any host in the Identity Management (IdM) domain.

To accomplish this, enable sudo access to the admins user group created automatically during the IdM server installation.

All users added to the admins group will have sudo access if you run ipa-advise script on the group.

Prerequisites

  • The server runs IdM 4.7.1 or later.

Procedure

  1. Connect to the IdM server.
  2. Run the ipa-advise script:

    $ ipa-advise enable-admins-sudo | sh -ex

If the console did not display an error, the admins group have admin permissions on all machines in the IdM domain.