19.5. Installing and Configuring Red Hat Single Sign-On

To use Red Had Single Sign-On as your authorization method, you need to:

  • Install Red Hat SSO.
  • Configure the LDAP group mapper.
  • Configure Apache on the Manager.
  • Configure OVN provider credentials.
Note

If Red Hat SSO is configured, previous LDAP sign ons will not work, as only a single authorization protocol may be used at a time.

19.5.1. Installing Red Hat Single Sign-On

You can install Red Hat Single Sign-On by downloading a ZIP file and unpacking it, or by using an RPM file.

Follow the installation instructions at Red Hat SSO Installation

Prepare the following information:

  • Path/location of the Open ID Connect server.
  • The subscription channel for the correct repositories.
  • Valid Red Hat subscription login credentials.

19.5.2. Configuring the LDAP group mapper

  1. Add the LDAP groups mapper with the following information:

    • Name: ldapgroups
    • Mapper Type: group-ldap-mapper
    • LDAP Groups DN: ou=groups,dc=example,dc=com
    • Group Object Classes: groupofuniquenames (adapt this class according to your LDAP server setup)
    • Membership LDAP Attribute: uniquemember (adapt this class according to your LDAP server setup)
  2. Click Save.
  3. Click Sync LDAP Groups to KeyCloak.
  4. At the bottom of the User Federation Provider page, click Synchronize all users.
  5. In the Clients tab, under Add Client, add ovirt-engine as the Client ID, and enter the engine url as the Root URL.
  6. Modify the Client Protocol to openid-connect and the Access Type to confidential.
  7. In the Clients tab, under Ovirt-engine > Advanced Settings, increase the Access Token Lifespan.
  8. Add https://rhvm.example.com:443/* as a valid redirect URI.
  9. The client secret is generated, and can be viewed in the Credentials tab.
  10. In the Clients tab under Create Mapper Protocol, create a mapper with the following settings:

    • Name: groups
    • Mapper Type: Group Membership
    • Token Claim Name: groups
    • Full group path: ON
    • Add to ID token: ON
    • Add to access token: ON
    • Add to userinfo: ON
  11. Add the Builtin Protocol Mapper for username.
  12. Create the scopes needed by ovirt-engine, ovirt-app-api and ovirt-app-admin.
  13. Use the scopes created in the previous step to set up optional client scopes for the ovirt-engine client.

19.5.3. Configuring Apache in the Manager

  1. Enable the mod_auth_openidc module.

    # dnf module enable mod_auth_openidc:2.3 -y
  2. Configure Apache in the Manager

    # dnf install mod_auth_openidc
  3. Create a new httpd config file ovirt-openidc.conf in /etc/httpd/conf.d/ with the following content:

    LoadModule auth_openidc_module modules/mod_auth_openidc.so
    
    OIDCProviderMetadataURL https://SSO.example.com/auth/realms/master/.well-known/openid-configuration
    OIDCSSLValidateServer Off
    
    OIDCClientID ovirt-engine
    OIDCClientSecret <client_SSO _generated_key>
    OIDCRedirectURI https://rhvm.example.com/ovirt-engine/callback
    OIDCDefaultURL https://rhvm.example.com/ovirt-engine/login?scope=ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E
    
    # maps the prefered_username claim to the REMOTE_USER environment variable:
    
    OIDCRemoteUserClaim <preferred_username>
    OIDCCryptoPassphrase <random1234>
    
    <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
        <If "req('Authorization') !~ /^(Bearer|Basic)/i">
    
          Require valid-user
          AuthType openid-connect
    
          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
        </If>
    </LocationMatch>
    
    OIDCOAuthIntrospectionEndpoint https://SSO.example.com/auth/realms/master/protocol/openid-connect/token/introspect
    OIDCOAuthSSLValidateServer    Off
    OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
    OIDCOAuthClientID ovirt-engine
    OIDCOAuthClientSecret <client_SSO _generated_key>
    OIDCOAuthRemoteUserClaim sub
    
    <LocationMatch ^/ovirt-engine/(api$|api/)>
       AuthType oauth20
       Require valid-user
    </LocationMatch>
  4. To save the configuration changes, restart httpd and ovirt-engine:

    # systemctl restart httpd
    # systemctl restart ovirt-engine
  5. Create the file openidc-authn.properties in /etc/ovirt-engine/extensions.d/ with the following content:

    ovirt.engine.extension.name = openidc-authn
    ovirt.engine.extension.bindings.method = jbossmodule
    ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.misc
    ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.misc.http.AuthnExtension
    ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
    ovirt.engine.aaa.authn.profile.name = openidchttp
    ovirt.engine.aaa.authn.authz.plugin = openidc-authz
    ovirt.engine.aaa.authn.mapping.plugin = openidc-http-mapping
    config.artifact.name = HEADER
    config.artifact.arg = OIDC_CLAIM_preferred_username
  6. Create the file openidc-http-mapping.properties in /etc/ovirt-engine/extensions.d/ with the following content:

    ovirt.engine.extension.name = openidc-http-mapping
    ovirt.engine.extension.bindings.method = jbossmodule
    ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.misc
    ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.misc.mapping.MappingExtension
    ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
    config.mapAuthRecord.type = regex
    config.mapAuthRecord.regex.mustMatch = false
    config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
    config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}
  7. Create the file openidc-authz.properties in /etc/ovirt-engine/extensions.d/ with the following content:

    ovirt.engine.extension.name = openidc-authz
    ovirt.engine.extension.bindings.method = jbossmodule
    ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine.extension.aaa.misc
    ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engine.extension.aaa.misc.http.AuthzExtension
    ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
    config.artifact.name.arg = OIDC_CLAIM_preferred_username
    config.artifact.groups.arg = OIDC_CLAIM_groups
  8. Create the file 99-enable-external-auth.conf in /etc/ovirt-engine/engine.conf.d/ with the following content:

    ENGINE_SSO_ENABLE_EXTERNAL_SSO=true
    ENGINE_SSO_EXTERNAL_SSO_LOGOUT_URI="${ENGINE_URI}/callback"
    EXTERNAL_OIDC_USER_INFO_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/userinfo
    EXTERNAL_OIDC_TOKEN_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/token
    EXTERNAL_OIDC_LOGOUT_END_POINT=https://SSO.example.com/auth/realms/master/protocol/openid-connect/logout
    EXTERNAL_OIDC_CLIENT_ID=ovirt-engine
    EXTERNAL_OIDC_CLIENT_SECRET="<client_SSO _generated_key>"
    EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
    EXTERNAL_OIDC_HTTPS_PKI_TRUST_STORE_PASSWORD=""
    EXTERNAL_OIDC_SSL_VERIFY_CHAIN=false
    EXTERNAL_OIDC_SSL_VERIFY_HOST=false

19.5.4. Configuring OVN

If you configured the ovirt-ovn-provider in the Manager, you need to configure the OVN provider credentials.

  1. Create the file 20-setup-ovirt-provider-ovn.conf in /etc/ovirt-provider-ovn/conf.d/ with the following contents, where user1 belongs to the LDAP group ovirt-administrator, and openidchttp is the profile configured for aaa-ldap-misc.

    [OVIRT]
    # ovirt-admin-user-name=user1@openidchttp
  2. Restart the ovirt-provider-ovn:

    # systemctl restart ovirt-provider-ovn
  3. Log in to the Administration Portal, navigate to AdministrationProviders, select ovirt-provider-ovn, and click Edit to update the password for the ovn provider.