Chapter 3. Configuring Red Hat Single Sign-On
Red Hat Single Sign-On (RH-SSO) supports multi-tenancy, and uses realms to allow for separation between tenants. As a result RH-SSO operations always occur within the context of a realm. You can either create the realm manually, or with the
keycloak-httpd-client-install tool if you have administrative privileges on the RH-SSO server.
You must have a fully installed RH-SSO server. For more information on installing RH-SSO, see Server installation and configuration guide.
You need definitions for the following variables as they appear below:
The Red Hat Single Sign-On URL
Identifies the RH-SSO realm in use
3.1. Configuring the RH-SSO realm
When the Red Hat Single Sign-On (RH-SSO) realm is available, use the RH-SSO web console to configure the realm for user federation against IdM:
- From the drop-down list in the uppper left corner, select your RH-SSO realm.
Add providerdrop-down list in the
User Federationpanel, select
Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.
Console Display Name
Red Hat IDM
Red Hat Directory Server
Username LDAP attribute
RDN LDAP attribute
UUID LDAP attribute
User Object Classes
- Use the Test connection and Test authentication buttons to ensure that user federation is working.
Saveto save the new user federation provider.
Mapperstab at the top of the Red Hat IdM user federation page you created.
- Create a mapper to retrieve the user group information. A user’s group membership returns the SAM assertion. Use group membership later to provide authorization in OpenStack.
Createin the Mappers page.
Add user federation mapperpage, select
group-ldap-mapperfrom the Mapper Type drop-down list, and name it
Group Mapper. Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.
LDAP Groups DN
Group Name LDAP Attribute
Group Object Classes
Membership LDAP Attribute
Membership Attribute Type
User Groups Retrieve Strategy
3.2. Adding user attrubutes using SAML assertion
Security Assertion Markup Language (SAML) is an open standard that allows the communication of user attributes and authorization credentials between the identity provider (IdP) and a service provider (SP).
You can configure Red Hat Single Sign-On (RH-SSO) to return the attribues that you require in the assertion. When the OpenStack Identity service receives the SAML assertion, it maps those attributes onto OpenStack users. The process of mapping IdP attributes into Identity Service data is called Federated Mapping. For more information, see Section 4.20, “Create the Mapping File and Upload to Keystone”.
Use the following process to add attributes to SAML:
- In the RH-SSO administration web console, select <_FED_RHSSO_REALM_> from the drop-down list in the upper left corner.
Select the service provider client that keycloak-httpd-client-install configured. You can identify the client with the SAML
- Select the mappers tab from the horizontal list of tabs.
In the Mappers panel, select
Add Builtinto add a protocol mapper to the client.
You can add additional attributes, but you only need the list of groups for which the user is a member. Group membership is how you authorize the user.
3.3. Adding group information to the SAML assertion
Createbutton in the Mappers Panel.
Create Protocol Mapperpanel, select Group list from the Mapper tpe drop-down list.
Enter Group List as a name in the
Enter groups as the name of the SAML attribute in the Group attribute
This is the name of the attribute as it appears in the SAML assertion. When the keystone mapper searches for names in the
Remotesection of the mapping declaration, it searches for the SAML attrubute name. When you add an attribute in RH-SSO to be passed in the assertion, specify the SAML attribute name. You define the name in the RH-SSO protocol mapper.
In the SAML Attribute NameFormat parameter, select
In the Single Group Attribute toggle box, select
When you run the
keycloak-httpd-client-install tool, the process adds a group mapper.