Chapter 2. Configuring Red Hat Single Sign-On as an OpenID provider

Red Hat Single Sign-On is an identity and access management provider for securing web applications with single sign-on (SSO). It supports OpenID Connect (an extension to OAuth 2.0).


  • You have installed the Red Hat Single Sign-On server. For more information, see Installing the Red Hat Single Sign-On server in the Red Hat Single Sign-On Getting Started Guide.
  • You have created a user in your Red Hat Single Sign-On server instance. For more information, see Creating a user in the Red Hat Single Sign-On Getting Started Guide.


  1. Start the Red Hat Single Sign-On server at a port other than 8080 because JBoss EAP default port is 8080.


    $ RH_SSO_HOME/bin/ -Djboss.socket.binding.port-offset=<offset-number>


    $ /home/servers/rh-sso-7.4/bin/ -Djboss.socket.binding.port-offset=100

  2. Log in to the Admin Console at http://localhost:<port>/auth/. For example, http://localhost:8180/auth/.
  3. To create a realm, in the Admin Console, hover over Master, and click Add realm.
  4. Enter a name for the realm. For example, example_realm. Ensure that Enabled is ON and click Create.
  5. Click Users, then click Add user to add a user to the realm.
  6. Enter a user name. For example, user1. Ensure that User Enabled is ON and click Save.
  7. Click Credentials to add a password to the user.
  8. Set a password for the user. For example, passwordUser1. Toggle Temporary to OFF and click Set Password. In the confirmation prompt, click Set password.
  9. Click Clients, then click Create to configure a client connection.
  10. Enter a client ID. For example, my_jbeap. Ensure that Client Protocol is set to openid-connect, and click Save.
  11. Click Installation, then select Keycloak OIDC JSON as the Format Option to see the connection parameters.

      "realm": "example_realm",
      "auth-server-url": "http://localhost:8180/auth/",
      "ssl-required": "external",
      "resource": "my_jbeap",
      "public-client": true,
      "confidential-port": 0

    When configuring your JBoss EAP application to use Red Hat Single Sign-On as the identity provider, you use the parameters as follows:

    "provider-url" : "http://localhost:8180/auth/realms/example_realm",
    "ssl-required": "external",
    "client-id": "my_jbeap",
    "public-client": true,
    "confidential-port": 0
  12. Click Clients, click Edit next to my_jbeap to edit the client settings.
  13. In Valid Redirect URIs, enter the URL where the page should redirect after authentication is successful.

    For this example, set this value to http://localhost:8080/simple-webapp-example/secured/* and then click Save.

Additional resources