First steps using Redhat Single Sign On (RH-SSO 7.1)

1) Overview

This article describes how it is possible to start and bring up a IAM project  (Identity and Access Management) using  RH-SSO 7.1 (Redhat Single Sign On).

The main points tested which are:

  • Installation of IDM solution (RH_SSO)
  • Test of ldap connection
  • Oauth2/OIDC
  • SAML

This article describes all the required steps which have been relevant to perform such an evalution.

The evaluation has been performed on RH 7.4 machine hosted on virtualbox.

Part I – RH-SSO infrastructure installation
2) Install Redhat 7.4 on VirtualBox

This section  describes how it is possible to create and install a RedHat 7.4 Server on a virtualBox machine.

2.1) Download RedHat DVD 7.4
It is possible to download an evaluation image version of the RH 7.4

Note: You should not pick the iso, but the DVD iso image which size is about 4G (to be downloaded)

2.2) VirtualBox Installation

Download and install VirtualBox on your machine.

2.3) Linux 64 Bits Redhat machine creation

Once you have installed Virtualbox, select :

Other parameter

  • Memory size: pick at least 2G (4G if you can)
    Note: The memory size parameter can easily be readjusted as needed, later
  • VirtualDisk Creation
    This parameter is critical and non easily adjustable. Therefore, it is advisable to have a good size once created.
    The recommandations are:

    • 20G (at least, and more if you can)
    • Specify an appropriate disk location (you should have created a directory earliar where you want to store all VDI archives)
  • Disk type: VDI
    Disk Size: Dynamically allocated

and click « create »

This will create you a Linux 64 bit machine in the shutdown state

If you were to start the RH Linux Machine, It would fail with « Fatal Error Message » as there is no DISK image to boot on.

2.4) Add CDROM Reader to the Machine

2.5) Adding Network

2.6) Installing RH7.4 On the VirtualBoxMachine

The machine is ready to boot on the RH7.4 DVD.
You just need to fire up the machine.It will boot, RH 7.4,

During installation, it will ask you for:

  • Root password
  • user and password to be created
  • keyboard
  • date
  • disk location

and the end of the installation, you will obtain a usable RH 7.4 server,available to be used.

2.7) Making the optical disk cdrom accessible locally

Making CDROM locally accessible, will allow you to access locally to the  CDROM packages

Being logged as root, you need to create a cdrom mount point

Note: You should add this entry to the /etc/vfstab, so it can stay permanent, and you don’t have to retype it each time.

The way to configure is described in an article from Redhat
Need to set up yum repository for locally-mounted DVD on Red Hat Enterprise Linux 7

You also need to update the VirtualBox boot order to make  the CDROM no longer the first in the list

You can now reboot your system.

Once rebooted,  the packages can be accessible at:

2.8) GUI Installation

It is possible to install graphical packages:

Being logged as root, execute the command:

Further information are also available at
How to install a graphical user interface (GUI) for Red Hat Enterprise Linux

3) Installing RH-SSO 7.1

In this section, you need to install RH-SSO that you can obtain as rpm package or zip file.

Go to URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
and select RedHat Single Sign On 7.1

You need to download the following for the evaluation:

we use a zip distribution during our evaluation

  • RH-SSO is started at http://localhost:8080/auth
  • You will be asked to create an admin username and password

More detailed information can be found at:

RH-SSO 7.1 Getting Started Guide
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/getting_started_guide/

4) Installing JBoss EAP and adapters
4.1) Jboss EAP 7 install

Most of the applications and use cases to be tested will also require the installation of Jboss Enterprise Application Platform  7 (EAP 7)

Red Hat JBoss Enterprise Application Platform 7.0.0

4.2) Adding Jboss adapters

Those adapters are needed to connect RH-SSO and also perform SAML

Pick both adapters that you have download previously, which are available as zip files.

Red Hat Single Sign-On 7.1.0 Client Adapter for JBoss EAP 7
Red Hat Single Sign-On 7.1.0 SAML Adapter for JBoss EAP 7

Go to the JBoss EAP directory and unzip each adapter

4.2.1) EAP adapter

Unzip RH-SSO-7.1.0-eap7-adapter.zip into the root directory of your JBoss EAP 7 distribution.

reference:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/getting_started_guide/securing_a_jboss_servlet_application

4.2.2) SAML adaptor

extract RH-SSO-7.1.0.GA-saml-eap7-adapter.zip into EAP HOME

Reference:
https://github.com/redhat-developer/redhat-sso-quickstarts#jboss-eap

5) Installing  RH-SSO Examples

RH-SSO can be obtained from keycloack example git.

For RH-SSO stability, you should pick version 2.5.X of keycloack

https://github.com/keycloak/keycloak/tree/2.5.x

The following requirement are to have handled:

  • Java (8)
  • Maven (>=3.11)
  • git

You need to clone teh workspace, and compile it after.
Following commands allow you to build version 2.5.x

To build Keycloak and modules run:

Part II  – RH-SSO Examples testing

As the infrastructure is ready, is going to be tested:

  • Test of RH-SSO ldap connection
  • Oauth2/OIDC
  • SAML
6) RH-SSO  –  LDAP  Example
6.1) Deploying an Ldap Server

Keycloack demo example comes with a bundled apache server available at

 

The way to run is:

This commands spawns an embedded apache directory server  at ldap port 10389 with bind DN ou=admin, ou=system and password secret

This ldap instance contains 2 users. It is possible to browse the LDAP DIT using  a ldap browser such as ApacheStudio,  Jexplorer, or even ldapsearch commands. 

6.2) Integrating RH-SSO with Ldap Server

Connect to  RH-SSO  admin console at URL http://localhost:8080/auth

  • Create a new realm called ldap_realm, using the « Add Realm » button
  • Within the ldap_realm, select user federation, and add an ldap provider

The main parameters to be entered for the ldap-realm user federation provider are:

Once you have entered those parameters, you need to click « Save ».
You can thus  synchronize all the users clicking on the button « Synchronize all users »

6.3) LDAP User Authenticating within RH-SSO User Portal

Connect to following URL
http://localhost:8080/auth/realms/keyclock_ldap/account

you shall obtain the LDAP-realm authentication  portal

You can connect with user bwilson/password for example to test teh authentication.

This steps validates that you are logged aginst LDAP throughout RH-SSO.

6.4) Pointers

It also possible to refer to following pointers:

7) RH-SSO – Oauth2 Example
7.1) customer and product apps

Oauth2 examples can be found at URL

https://github.com/keycloak/keycloak/tree/2.5.x/examples/demo-template

This example is based on customer-app, and product app, and a database app.

The customer is authenticating against RH-SSO using Authorisation code flow, and display the list of customers

The product app is authenticating against the database using signed JWT authentication mechanism.

Those apps are Java based applications, and require to be run against the Java Enterprise Application Platform 7

7.2) Configuration
7.2.1) description

Most of the configuration explanations can be found in:

7.2.2) avoiding port collision

Currently we have both servers (RH-SSO server) and Jboss EAP server configured and installed on teh same machine. One of them has to be offset for its port binding address (by default 8080), otherwise there would be a port collision

So we pick to have:

  • JBOSS EAP7: port 8080
  • RH-SSO: port 8080

Aqs a consequnce, it means that any reference from JBoss applications to RH-SSO server will have to be remapped from 8080 to 8180.

standalone.xml update

This is exactly what has to be added/updated in the file
EAP_HOME/standalone/configuration/standalone.xml

7.2.3)  specificity of standalone.xml (part added)

It has to be noted that:

  • The authentication URL points to the RH-SSO server

  • customer-portal is using oauth2 authorisation code flow, and is confdential. Hence it requires a client secret. The client sceret provided by the customer portal has to be one expected by RH-SSO, otherwise authencation will fail.

7.2.4) apps war deployment

Make sure that the 3 applications (customer-portal.war, product-portal.war and database.war) have been deployed to

EAP_HOME/standalone/deployment

If it is not the case, the application will fail wthe error 404 when trying to access it.

7.2.5)  Starting Jboss EAP and RH-SSO

Launch JBOSS EAP at port 8080

Launch RH-SSO at port 8180

7.2.6) Deployment
  • Create a  new realm demo
  • Make sure your 3 apps have been deployed
    (This can be observed within the trace log Jboss EAP server)
  • create most of the demo infratsucture running the command

    7.3) Test

Goto URL
http://localhost:8080/customer-portal/customers/view.jsp

You shall be redirected to the RedHat Demo login screen with an URL such as

Thus, you shall be able to log successfully using credentials bburke@redhat.com/password and view the list of customers

8) SAML Authentication

Keycloack examples also provides SAML examples.

RH-SSO is seen as the identity provider, whereas the SAML examples  are seen as service provider.

8.1) Bringing the SAML infrastructure

GoTo RH-SSO admin console, and select « add realm », and upload the the file testsaml.json from the example/saml directory

8.2) Deploying a SAML Example

The example used is saml/post-with-signature

Some of metadata withinfile  examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml needs to be updated at 3 places, with the RH-SSO port in use (8180), otherwise it will fail

Once this change has been donce, the applicayion has to be recompiled, and the saml/post-with-signature war deployed into Jboss EAP.

8.3) Test

User is selecting URL: http://localhost:8080/sales-post-sig, and will be rediredirected to the SAML-demo login screen

The user has to enter bburke@redhat.com/password as credentials and will be redired to the expected sales posted screen.

More to come soon, stay tuned !

 

Olivier Rivat

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat