13.8. Integrating Satellite with Red Hat Single Sign-On for External Authentication
You can configure Satellite to use Red Hat Single Sign-On as an OpenID provider for external authentication with CAC cards. You can only use CAC cards; other authentication methods are not supported.
Prerequisites
- A working installation of Red Hat Single Sign-On server that uses HTTPS instead of HTTP.
- If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.
Procedure
Install the following packages:
# satellite-maintain packages install mod_auth_openidc keycloak-httpd-client-install
On Satellite Server, install the Red Hat Single Sign-On httpd client:
# keycloak-httpd-client-install --app-name foreman-openidc \ --keycloak-server-url "RHSSO.example.com" \ --keycloak-admin-username "RHSSO_User" \ --keycloak-realm "RHSSO_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin -t openidc -l /users/extlogin --force
The above command registers a client for Satellite in Red Hat Single Sign-On.
Enable Red Hat Single Sign-On using
satellite-installer:# satellite-installer --foreman-keycloak true \ --foreman-keycloak-app-name "foreman-openidc" \ --foreman-keycloak-realm "RHSSO_Realm"Restart the httpd service:
# systemctl restart httpd
- In the Red Hat Single Sign-On web UI, navigate to Client and click the Satellite client.
- Ensure that the Access type setting is set to Confidential.
If you use Red Hat Single Sign-On version 7.3 or later, complete the following steps:
- Navigate to the Red Hat Single Sign-On web UI, click Clients and click the client registered with Satellite.
-
Locate the Valid redirect URI field that contains one redirect URI by default. Add a Valid redirect URI in the following form:
https://satellite.example.com/users/extlogin. - Click Save.
Click the Mappers tab and click Create. Set the following values for the audience mapper:
- From the Mapper Type list, select Audience.
From the Included Client Audience list, select the client that you use with Satellite.
For more information about audience support, see Audience Support in the Red Hat Single Sign-On Server Administration Guide.
- Click Save.
Click the Mapper tab and click Create to add a group mapper so that you can specify authorization in Satellite based on group membership. Set the following values for the group mapper:
- From the Mapper Type list, select Group Membership.
- In Token Claim Name, enter groups.
Set the Full group path toggle to OFF.
For more information about group mappers, see Group Mapper in the LDAP Mappers section of the Red Hat Single Sign-On Server Administration Guide.
- Click Save.
Navigate to Groups, and click New.
- Enter a Name for the group.
- Click Save.
Navigate to Users and click Add user.
- Enter the Username, Email, and other user details. Set the User Enabled toggle to ON.
- Click Save. The user is now created.
- Click the Credentials tab and reset the user password under Manage Password: Enter New Password and confirm the password, set the Temporary toggle to OFF, and click Reset Password.
- Click the Groups tab. Select the group you want to join from the Available Groups list, and click Join. The user is now part of the selected group.
- In the Satellite web UI, navigate to Administer > User Groups.
- Click Create User Group, and enter a Name for the user group.
- Click the Roles tab, and assign appropriate roles to the user group.
- Click the External Groups tab, then click Add external user group.
- Enter the group name created in the Red Hat Single Sign-On web UI.
- Click Submit.
- Navigate to Administer > Settings, and click the Authentication tab.
-
Locate the Authorize login delegation row, and in the Value column, set the value to
Yes. -
Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to
External. Locate the Login delegation logout URL row, and in the Value column, set the value to
https://satellite.example.com/users/extlogout.For the following steps, you can retrieve the values that you require by navigating to the following URL:
RHSSO.example.com/auth/realms/RHSSO_REALM/.well-known/openid-configuration.-
Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Red Hat Single Sign-On, for example,
RS256. -
Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Red Hat Single Sign-On:
['satellite.example.com-foreman-openidc']. -
Locate the OIDC Issuer row, and in the Value column, set the value to
RHSSO.example.com/auth/realms/RHSSO_Realm. -
Locate the OIDC JWKs URL row, and in the Value column, set the value to
RHSSO.example.com/auth/realms/RHSSO_Realm/protocol/openid-connect/certs. To set the organization and location for the authentication source, complete the following steps:
- Navigate to Administer > Authentication sources.
- Click the options menu next to External, and click Edit.
- Click the Locations tab and select locations from the All items list.
- Click the Organizations tab and select organizations from the All items list.
- Click Submit.
You can now authenticate using the https://satellite.example.com/users/extlogin login URL.
For CLI Users
Install the following packages:
# satellite-maintain packages install keycloak-httpd-client-install
On Satellite Server, install the Red Hat Single Sign-On httpd client:
# keycloak-httpd-client-install --app-name hammer-openidc \ --keycloak-server-url "RHSSO.example.com" \ --keycloak-admin-username "RHSSO_User" \ --keycloak-realm "RHSSO_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin -t openidc -l /users/extlogin --force
This command creates a client for Satellite in Red Hat Single Sign-On.
Enable Red Hat Single Sign-On using
satellite-installer:# satellite-installer --foreman-keycloak true \ --foreman-keycloak-app-name "hammer-openidc" \ --foreman-keycloak-realm "RHSSO_Realm"Restart the httpd service:
# systemctl restart httpd
- In the Red Hat Single Sign-On web UI, navigate to Client and click the Satellite client.
- Set the Access type setting to Public.
-
In the Valid Redirect URL field, enter
urn:ietf:wg:oauth:2.0:oob. If you use Red Hat Single Sign-On version 7.3 or later, complete the following steps:
- Navigate to the Red Hat Single Sign-On web UI, click Clients and click the client registered with Satellite.
-
Locate the Valid redirect URI field that contains one redirect URI by default. Add a Valid redirect URI in the following form:
https://satellite.example.com/users/extlogin. - Click Save.
Click the Mappers tab and click Create. Set the following values for the audience mapper:
- From the Mapper Type list, select Audience.
From the Included Client Audience list, select the client that you use with Satellite.
For more information about audience support, see Audience Support in the Red Hat Single Sign-On Server Administration Guide.
- Click Save.
Click the Mapper tab and click Create to add a group mapper so that you can specify authorization in Satellite based on group membership. Set the following values for the group mapper:
- From the Mapper Type list, select Group Membership.
- From the Token Claim Name list, select groups.
Set the Full group path toggle to OFF.
For more information about group mappers, see Group Mapper in the LDAP Mappers section of the Red Hat Single Sign-On Server Administration Guide.
- Click Save.
On Satellite, set the login delegation to
trueso that users can authenticate using the Open IDC protocol:# hammer settings set --name authorize_login_delegation --value true
Set the login authorization to an external source:
# hammer settings set --name authorize_login_delegation_auth_source_user_autocreate --value External
Set the login delegation logout URL:
# hammer settings set --name login_delegation_logout_url \ --value https://satellite.example.com/users/extlogout
Set the algorithm for encoding on Red Hat Single Sign-On, for example,
RS256:# hammer settings set --name oidc_algorithm --value 'RS256'
-
Open the
RHSSO.example.com/auth/realms/RHSSO_REALM/.well-known/openid-configurationURL and note the values to populate the options in the following steps. Add the value for the Hammer client in the Open IDC audience:
# hammer settings set --name oidc_audience \ --value "['satellite.example.com-hammer-openidc']"注記If you register several Red Hat Single Sign-On clients to Satellite, ensure that you append all audiences in the array. For example:
# hammer settings set --name oidc_audience \ --value "['satellite.example.com-foreman-openidc', 'satellite.example.com-hammer-openidc']"
Set the value for the Open IDC issuer:
# hammer settings set --name oidc_issuer \ --value "RHSSO.example.com/auth/realms/RHSSO_Realm"
Set the value for Open IDC Java Web Token (JWT):
# hammer settings set --name oidc_jwks_url \ --value "RHSSO.example.com/auth/realms/RHSSO_Realm/protocol/openid-connect/certs"
To set the organization and location of the authentication source, complete the following steps:
Retrieve the ID of the Red Hat Single Sign-On authentication source:
# hammer auth-source external list
Set the location and organization:
# hammer auth-source external update --id Authentication Source ID \ --location-ids Location ID --organization-ids Organization ID
To authenticate using two-factor authentication, enter the following command:
# hammer auth login oauth \ --two-factor \ --oidc-token-endpoint 'https://RHSSO.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \ --oidc-authorization-endpoint 'https://RHSSO.example.com/auth' \ --oidc-client-id 'satellite.example.com-foreman-openidc' \ --oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob
The command prompts you to enter a success code. To retrieve the success code, navigate to the URL that the commands returns and provide the required information.
