Chapter 6. Creating and assigning user roles in Red Hat Single Sign-On

Red Hat Single Sign-On is an identity and access management provider for securing your web applications with single sign-on (SSO). You can define users and assign roles in Red Hat Single Sign-On.


  • You have secured your application using OpenID Connect with Red Hat Single Sign-On as the identity provider.


  1. Log in to the admin console at http://localhost:<port>/auth/. For example, http://localhost:8180/auth/.
  2. Click the realm you use to connect with JBoss EAP. For example, example_realm.
  3. Click Clients, then click the client-name you configured for JBoss EAP. For example, my_jbeap.
  4. Click Roles, then Add Role.
  5. Enter a role name, such as Admin, then click Save. This is the role name you configure in JBoss EAP for authorization.
  6. Click Users, then View all users.
  7. Click an ID to assign the role you created. For example, click the ID for user1.
  8. Click Role Mappings. In the Client Roles field, select the client-name you configured for JBoss EAP. For example, my_jbeap.
  9. In Available Roles, select a role to assign. For example, admin. Click Add selected.


  1. If your application is already deployed, undeploy the aplication and deploy it again. In the application root directory, enter the following commands:

    $ mvn wildfy:undeploy
    $ mvn wildfy:deploy
  2. In a browser, navigate to the application URL. For example, http://localhost:8080/simple-webapp-example/secured.

    You are redirected to Red Hat Single Sign-On login page.

  3. Log in with your credentials. For example:

    username: user1
    password: passwordUser1

    You get the following output:

    Secured Servlet
    Current Principal 'cc02dfd3-198d-47e4-a9a9-021c5492e230'
    Roles : [offline_access, default-roles-example_realm, uma_authorization, Admin]

    The value of the Principal comes from the ID token from the OpenID provider. The Principal here is the value of the "sub" claim from the token.

    Users with the required role can log in to your application.