Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

Chapter 3. Configuring Red Hat Single Sign-On

Red Hat Single Sign-On (RH-SSO) supports multi-tenancy, and uses realms to allow for separation between tenants. As a result RH-SSO operations always occur within the context of a realm. You can either create the realm manually, or with the keycloak-httpd-client-install tool if you have administrative privileges on the RH-SSO server.

Prerequisites

You must have a fully installed RH-SSO server. For more information on installing RH-SSO, see Server installation and configuration guide.

You need definitions for the following variables as they appear below:

<_RH_RHSSO_URL_>

The Red Hat Single Sign-On URL

<_FED_RHSSO_REALM_>

Identifies the RH-SSO realm in use

3.1. Configuring the RH-SSO realm

When the Red Hat Single Sign-On (RH-SSO) realm is available, use the RH-SSO web console to configure the realm for user federation against IdM:

Procedure

  1. From the drop-down list in the uppper left corner, select your RH-SSO realm.
  2. From the Configure panel, select User Federation.
  3. From the Add provider drop-down list in the User Federation panel, select ldap.

  4. Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.

    PropertyValue

    Console Display Name

    Red Hat IDM

    Edit Mode

    READ_ONLY

    Sync Registrations

    Off

    Vendor

    Red Hat Directory Server

    Username LDAP attribute

    uid

    RDN LDAP attribute

    uid

    UUID LDAP attribute

    ipaUniqueID

    User Object Classes

    inetOrgPerson, organizationalPerson

    Connection URL

    LDAPS://<_FED_IPA_HOST_>

    Users DN

    cn=users,cn=accounts,<_FED_IPA_BASE_DN_>

    Authentication Type

    simple

    Bind DN

    uid=rhsso,cn=sysaccounts,cn=etc,<_FED_IPA_BASE_DN_>

    Bind Credential

    <_FED_IPA_RHSSO_SERVICE_PASSWD_>

  5. Use the Test connection and Test authentication buttons to ensure that user federation is working.
  6. Click Save to save the new user federation provider.
  7. Click the Mappers tab at the top of the Red Hat IdM user federation page you created.
  8. Create a mapper to retrieve the user group information. A user’s group membership returns the SAM assertion. Use group membership later to provide authorization in OpenStack.
  9. Click Create in the Mappers page.

  10. On the Add user federation mapper page, select group-ldap-mapper from the Mapper Type drop-down list, and name it Group Mapper. Provide values for the following parameters. Substitute all site-specific values with values relevant to your environment.

    PropertyValue

    LDAP Groups DN

    cn=groups,cn=accounts„<_FED_IPA_BASE_DN_>

    Group Name LDAP Attribute

    cn

    Group Object Classes

    groupOfNames

    Membership LDAP Attribute

    member

    Membership Attribute Type

    DN

    Mode

    READ_ONLY

    User Groups Retrieve Strategy

    GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE

  11. Click Save.

3.2. Adding user attrubutes using SAML assertion

Security Assertion Markup Language (SAML) is an open standard that allows the communication of user attributes and authorization credentials between the identity provider (IdP) and a service provider (SP).

You can configure Red Hat Single Sign-On (RH-SSO) to return the attribues that you require in the assertion. When the OpenStack Identity service receives the SAML assertion, it maps those attributes onto OpenStack users. The process of mapping IdP attributes into Identity Service data is called Federated Mapping. For more information, see Section 4.20, “Create the Mapping File and Upload to Keystone”.

Use the following process to add attributes to SAML:

Procedure

  1. In the RH-SSO administration web console, select <_FED_RHSSO_REALM_> from the drop-down list in the upper left corner.
  2. Select Clients from the Configure panel.
  3. Select the service provider client that keycloak-httpd-client-install configured. You can identify the client with the SAML EntityId.
  4. Select the mappers tab from the horizontal list of tabs.
  5. In the Mappers panel, select Create or Add Builtin to add a protocol mapper to the client.

You can add additional attributes, but you only need the list of groups for which the user is a member. Group membership is how you authorize the user.

3.3. Adding group information to the SAML assertion

Procedure

  1. Click the Create button in the Mappers Panel.
  2. In the Create Protocol Mapper panel, select Group list from the Mapper tpe drop-down list.
  3. Enter Group List as a name in the Name field.

  4. Enter groups as the name of the SAML attribute in the Group attribute Name field.

    Note

    This is the name of the attribute as it appears in the SAML assertion. When the keystone mapper searches for names in the Remote section of the mapping declaration, it searches for the SAML attrubute name. When you add an attribute in RH-SSO to be passed in the assertion, specify the SAML attribute name. You define the name in the RH-SSO protocol mapper.

  5. In the SAML Attribute NameFormat parameter, select Basic.
  6. In the Single Group Attribute toggle box, select On.
  7. Click Save.
Note

When you run the keycloak-httpd-client-install tool, the process adds a group mapper.