Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

Chapter 3. Configuring Red Hat Single Sign-On

Red Hat Single Sign-On (RH-SSO) supports multi-tenancy, and uses realms to allow for separation between tenants. As a result RH-SSO operations always occur within the context of a realm. You can either create the realm manually, or with the keycloak-httpd-client-install tool if you have administrative privileges on the RH-SSO server.


You must have a fully installed RH-SSO server. For more information on installing RH-SSO, see Server installation and configuration guide.

You need definitions for the following variables as they appear below:


The Red Hat Single Sign-On URL


Identifies the RH-SSO realm in use

3.1. Configuring the RH-SSO realm

When the Red Hat Single Sign-On (RH-SSO) realm is available, use the RH-SSO web console to configure the realm for user federation against IdM:


  1. From the drop-down list in the uppper left corner, select your RH-SSO realm.
  2. From the Configure panel, select User Federation.
  3. From the Add provider drop-down list in the User Federation panel, select ldap.
  4. Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.


    Console Display Name

    Red Hat IDM

    Edit Mode


    Sync Registrations



    Red Hat Directory Server

    Username LDAP attribute


    RDN LDAP attribute


    UUID LDAP attribute


    User Object Classes

    inetOrgPerson, organizationalPerson

    Connection URL


    Users DN


    Authentication Type


    Bind DN


    Bind Credential


  5. Use the Test connection and Test authentication buttons to ensure that user federation is working.
  6. Click Save to save the new user federation provider.
  7. Click the Mappers tab at the top of the Red Hat IdM user federation page you created.
  8. Create a mapper to retrieve the user group information. A user’s group membership returns the SAM assertion. Use group membership later to provide authorization in OpenStack.
  9. Click Create in the Mappers page.
  10. On the Add user federation mapper page, select group-ldap-mapper from the Mapper Type drop-down list, and name it Group Mapper. Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.


    LDAP Groups DN


    Group Name LDAP Attribute


    Group Object Classes


    Membership LDAP Attribute


    Membership Attribute Type




    User Groups Retrieve Strategy


  11. Click Save.

3.2. Adding user attrubutes using SAML assertion

Security Assertion Markup Language (SAML) is an open standard that allows the communication of user attributes and authorization credentials between the identity provider (IdP) and a service provider (SP).

You can configure Red Hat Single Sign-On (RH-SSO) to return the attribues that you require in the assertion. When the OpenStack Identity service receives the SAML assertion, it maps those attributes onto OpenStack users. The process of mapping IdP attributes into Identity Service data is called Federated Mapping. For more information, see Section 4.20, “Create the Mapping File and Upload to Keystone”.

Use the following process to add attributes to SAML:


  1. In the RH-SSO administration web console, select <_FED_RHSSO_REALM_> from the drop-down list in the upper left corner.
  2. Select Clients from the Configure panel.
  3. Select the service provider client that keycloak-httpd-client-install configured. You can identify the client with the SAML EntityId.
  4. Select the mappers tab from the horizontal list of tabs.
  5. In the Mappers panel, select Create or Add Builtin to add a protocol mapper to the client.

You can add additional attributes, but you only need the list of groups for which the user is a member. Group membership is how you authorize the user.

3.3. Adding group information to the SAML assertion


  1. Click the Create button in the Mappers Panel.
  2. In the Create Protocol Mapper panel, select Group list from the Mapper tpe drop-down list.
  3. Enter Group List as a name in the Name field.
  4. Enter groups as the name of the SAML attribute in the Group attribute Name field.


    This is the name of the attribute as it appears in the SAML assertion. When the keystone mapper searches for names in the Remote section of the mapping declaration, it searches for the SAML attrubute name. When you add an attribute in RH-SSO to be passed in the assertion, specify the SAML attribute name. You define the name in the RH-SSO protocol mapper.

  5. In the SAML Attribute NameFormat parameter, select Basic.
  6. In the Single Group Attribute toggle box, select On.
  7. Click Save.

When you run the keycloak-httpd-client-install tool, the process adds a group mapper.