Menu Close

Chapter 7. Single Sign On and User Authentication

Red Hat OpenShift Container Platform 3.6 supports several authentication and identity providers covered in Configuring Authentication and User Agent. Using the OpenID identity provider, Red Hat Single Sign-On can be used as identity and authentication backend for Red Hat OpenShift Container Platform.

7.1. Why Red Hat Single Sign-On

Features

  • Single-Sign On and Single-Sign Out for browser applications.
  • OpenID Connect support.
  • OAuth 2.0 support.
  • SAML support.
  • Identity Brokering - Authenticate with external OpenID Connect or SAML Identity Providers.
  • Social Login - Enable login with Google, GitHub, Facebook, Twitter, and other social networks.
  • User Federation - Sync users from LDAP and Active Directory servers.
  • Kerberos bridge - Automatically authenticate users that are logged-in to a Kerberos server.
  • Admin Console for central management of users, roles, role mappings, clients and configuration.
  • Account Management console that allows users to centrally manage their account.
  • Theme support - Customize all user facing pages to integrate with your applications and branding.
  • Two-factor Authentication - Support for TOTP/HOTP via Google Authenticator or FreeOTP.
  • Login flows - optional user self-registration, recover password, verify email, require password update, etc.
  • Session management - Admins and users themselves can view and manage user sessions.
  • Token mappers - Map user attributes, roles, etc. how you want into tokens and statements.
  • Not-before revocation policies per realm, application and user.
  • CORS support - Client adapters have built-in support for CORS.
  • Client adapters for JavaScript applications, JBoss EAP, Fuse, etc.
  • Supports any platform/language that has an OpenID Connect Resource Provider library or SAML 2.0 Service Provider library.

This wealth of features makes Red Hat Single Sign-On an ideal identity and authentication provider as it includes the ability to authenticate developers combined with ability to authenticate and control applications running on Red Hat OpenShift Container Platform.

7.2. Implementation Details

The bastion.sh ( or allinone.sh for single node deployment ) script creates an ansible playbook setup-sso.yaml, which is executed automatically after the deployment and creates all the required elements in the Red Hat OpenShift Container Platform cluster:

setup-sso.yml steps

  • Create SSO Project
  • Setup Certificates and keys
  • Create parameter file for SSO template
  • Create the SSO Pod and the Postgresql Pod
  • Wait for the pods to become ready
  • Create the admin user provided to the script
  • Create a access token
  • Using the access token, create a client for Red Hat OpenShift Container Platform
  • Modify the config on all Master nodes

7.3. Logging Into Red Hat OpenShift Container Platform

In the login screen of the Red Hat OpenShift Container Platform web interface there is now a selection screen, allowing the user to select either htpasswd based authentication or sso based authentication.

loginchoicescreen
Note

The htpasswd can be removed by editing the master config files /etc/origin/master.yml and removing the following code. When this is removed, the selection screen will automatically be removed.

  - challenge: true
    login: true
    mappingMethod: claim
    name: htpasswd_auth
    provider:
      apiVersion: v1
      file: /etc/origin/master/htpasswd
      kind: HTPasswdPasswordIdentityProvider

When user selects sso as the authentication method, a redirection to the sso cloud login page happens. The login screen is provided by the sso pod running in the Red Hat OpenShift Container Platform cluster.

ssologin

During deployment a user is created in both htpasswd and sso configuration to allow the administration of the cluster. Both accounts use the the username and password that was supplied to the ARM template. In addition, an admin user is created in the sso using the same password supplied during the running of the reference architecture.

7.4. Administration of Red Hat Single Sign-On

After completion of the reference architecture, a route in the SSO project is created that contains the url to access the web interface of the Red Hat Single Sign-On pod.

ssopods

In this example, the url is https://login.13.76.83.116.nip.io. The URL to access the web interface of Red Hat Single Sign-On is based on the public IP of the load balancer, created automatically during the execution of the reference architecture. Accessing the route URL shows the login screen of the Red Hat Single Sign-On application where the user name is "admin" and the password is the same as the supplied as a parameter (adminPassword).

After logging into SSO Application, the administrator web interface is shown as:

sso

The full documenation of SSO can be found at: RedHat SSO 7.1 Server Administration Guide.