This article describes how it is possible to start and bring up a IAM project (Identity and Access Management) using RH-SSO 7.1 (Redhat Single Sign On).
The main points tested which are:
- Installation of IDM solution (RH_SSO)
- Test of ldap connection
This article describes all the required steps which have been relevant to perform such an evalution.
The evaluation has been performed on RH 7.4 machine hosted on virtualbox.
Part I – RH-SSO infrastructure installation
2) Install Redhat 7.4 on VirtualBox
This section describes how it is possible to create and install a RedHat 7.4 Server on a virtualBox machine.
2.1) Download RedHat DVD 7.4
It is possible to download an evaluation image version of the RH 7.4
Note: You should not pick the iso, but the DVD iso image which size is about 4G (to be downloaded)
2.2) VirtualBox Installation
Download and install VirtualBox on your machine.
2.3) Linux 64 Bits Redhat machine creation
Once you have installed Virtualbox, select :
"Machine" -> New type: Linux Version: RedHat 64 Bits
- Memory size: pick at least 2G (4G if you can)
Note: The memory size parameter can easily be readjusted as needed, later
- VirtualDisk Creation
This parameter is critical and non easily adjustable. Therefore, it is advisable to have a good size once created.
The recommandations are:
- 20G (at least, and more if you can)
- Specify an appropriate disk location (you should have created a directory earliar where you want to store all VDI archives)
- Disk type: VDI
Disk Size: Dynamically allocated
and click « create »
This will create you a Linux 64 bit machine in the shutdown state
If you were to start the RH Linux Machine, It would fail with « Fatal Error Message » as there is no DISK image to boot on.
2.4) Add CDROM Reader to the Machine
Go to Configuration -> Storage Pick the CDROM icon to add a CDROM optical reader Select as CDROM Disk the DVD optical reader.
2.5) Adding Network
Configuration -> Network Select Nat
2.6) Installing RH7.4 On the VirtualBoxMachine
The machine is ready to boot on the RH7.4 DVD.
You just need to fire up the machine.It will boot, RH 7.4,
During installation, it will ask you for:
- Root password
- user and password to be created
- disk location
and the end of the installation, you will obtain a usable RH 7.4 server,available to be used.
2.7) Making the optical disk cdrom accessible locally
Making CDROM locally accessible, will allow you to access locally to the CDROM packages
Being logged as root, you need to create a cdrom mount point
mkdir /media/cdrom mount /dev/sr0 / media/cdrom
Note: You should add this entry to the /etc/vfstab, so it can stay permanent, and you don’t have to retype it each time.
The way to configure is described in an article from Redhat
Need to set up yum repository for locally-mounted DVD on Red Hat Enterprise Linux 7
You also need to update the VirtualBox boot order to make the CDROM no longer the first in the list
goto Machine -> Configuration-> System , and update boot order
You can now reboot your system.
Once rebooted, the packages can be accessible at:
2.8) GUI Installation
It is possible to install graphical packages:
Being logged as root, execute the command:
yum groupinstall gnome-desktop x11 fonts
Further information are also available at
How to install a graphical user interface (GUI) for Red Hat Enterprise Linux
3) Installing RH-SSO 7.1
In this section, you need to install RH-SSO that you can obtain as rpm package or zip file.
Go to URL
and select RedHat Single Sign On 7.1
You need to download the following for the evaluation:
- Red Hat Single Sign-On 7.1.0 Server
- Red Hat Single Sign-On 7.1.0 Client Adapter for JBoss EAP 7
- Red Hat Single Sign-On 7.1.0 SAML Adapter for JBoss EAP 7
we use a zip distribution during our evaluation
mkdir dev unzip rh-sso-7.1.0.zip cd rh-sso-7.1.0 The way to start it is cd bin sh standalone.sh
- RH-SSO is started at https://localhost:8080/auth
- You will be asked to create an admin username and password
More detailed information can be found at:
RH-SSO 7.1 Getting Started Guide
4) Installing JBoss EAP and adapters
4.1) Jboss EAP 7 install
Most of the applications and use cases to be tested will also require the installation of Jboss Enterprise Application Platform 7 (EAP 7)
Red Hat JBoss Enterprise Application Platform 7.0.0
unzip jboss-eap-7.0.0.zip cd jboss-eap-7.0.0
4.2) Adding Jboss adapters
Those adapters are needed to connect RH-SSO and also perform SAML
Pick both adapters that you have download previously, which are available as zip files.
Red Hat Single Sign-On 7.1.0 Client Adapter for JBoss EAP 7
Red Hat Single Sign-On 7.1.0 SAML Adapter for JBoss EAP 7
Go to the JBoss EAP directory and unzip each adapter
4.2.1) EAP adapter
Unzip RH-SSO-7.1.0-eap7-adapter.zip into the root directory of your JBoss EAP 7 distribution.
cd jboss-eap-7.0.0 unzip RH-SSO-7.1.0-eap7-adapter.zip $ cd bin $ ./jboss-cli.sh --file=adapter-install-offline.cli
4.2.2) SAML adaptor
extract RH-SSO-7.1.0.GA-saml-eap7-adapter.zip into EAP HOME
cd jboss-eap-7.0.0 unzip RH-SSO-7.1.0.GA-saml-eap7-adapter.zip cd bin ./jboss-cli.sh -c --file=./adapter-install.cli
5) Installing RH-SSO Examples
RH-SSO can be obtained from keycloack example git.
For RH-SSO stability, you should pick version 2.5.X of keycloack
The following requirement are to have handled:
- Java (8)
- Maven (>=3.11)
You need to clone teh workspace, and compile it after.
Following commands allow you to build version 2.5.x
git clone https://github.com/keycloak/keycloak.git cd keycloakgit checkout 2.5.x
To build Keycloak and modules run:
Part II – RH-SSO Examples testing
As the infrastructure is ready, is going to be tested:
- Test of RH-SSO ldap connection
6) RH-SSO – LDAP Example
6.1) Deploying an Ldap Server
Keycloack demo example comes with a bundled apache server available at
The way to run is:
mvn exec:java -Pldap
This commands spawns an embedded apache directory server at ldap port 10389 with bind DN ou=admin, ou=system and password secret
This ldap instance contains 2 users. It is possible to browse the LDAP DIT using a ldap browser such as ApacheStudio, Jexplorer, or even ldapsearch commands.
6.2) Integrating RH-SSO with Ldap Server
Connect to RH-SSO admin console at URL https://localhost:8080/auth
- Create a new realm called ldap_realm, using the « Add Realm » button
- Within the ldap_realm, select user federation, and add an ldap provider
The main parameters to be entered for the ldap-realm user federation provider are:
Edit Mode: Writable Vendor: Redhat Username LDAP attribute: uid RDN LDAP attribute: uid UUID LDAP attribute: EntryUUID Connection URL: https://localhost:10389 Users DN: ou=people,dc=keycloack,dc=org Authentication Type: simple Bind DN: uid=admin, ou=system Bind Credential: secret
Once you have entered those parameters, you need to click « Save ».
You can thus synchronize all the users clicking on the button « Synchronize all users »
6.3) LDAP User Authenticating within RH-SSO User Portal
Connect to following URL
you shall obtain the LDAP-realm authentication portal
You can connect with user bwilson/password for example to test teh authentication.
This steps validates that you are logged aginst LDAP throughout RH-SSO.
It also possible to refer to following pointers:
7) RH-SSO – Oauth2 Example
7.1) customer and product apps
Oauth2 examples can be found at URL
This example is based on customer-app, and product app, and a database app.
The customer is authenticating against RH-SSO using Authorisation code flow, and display the list of customers
The product app is authenticating against the database using signed JWT authentication mechanism.
Those apps are Java based applications, and require to be run against the Java Enterprise Application Platform 7
Most of the configuration explanations can be found in:
- Make sure that you have installed and deployed RH-SSO-7.1.0-eap7-adapter.zip adapter as mentioned earliar
7.2.2) avoiding port collision
Currently we have both servers (RH-SSO server) and Jboss EAP server configured and installed on teh same machine. One of them has to be offset for its port binding address (by default 8080), otherwise there would be a port collision
So we pick to have:
- JBOSS EAP7: port 8080
- RH-SSO: port 8080
Aqs a consequnce, it means that any reference from JBoss applications to RH-SSO server will have to be remapped from 8080 to 8180.
This is exactly what has to be added/updated in the file
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="database.war"> <realm>demo</realm> <resource>database-service</resource> <bearer-only>true</bearer-only> <auth-server-url>https://localhost:8180/auth</auth-server-url> </secure-deployment> <secure-deployment name="customer-portal.war"> <realm>demo</realm> <resource>customer-portal</resource> <auth-server-url>https://localhost:8180/auth</auth-server-url> <credential name="secret">e761dee1-6f0b-4f0f-ba12-8e23e0886c84</credential> </secure-deployment> </secure-deployment> <secure-deployment name="product-portal.war"> <realm>demo</realm> <resource>product-portal</resource> <auth-server-url>https://localhost:8180/auth</auth-server-url> <credential name="jwt"> <client-key-password>keypass</client-key-password> <client-keystore-file>classpath:keystore-client.jks</client-keystore-file> <client-keystore-password>storepass</client-keystore-password> <client-key-alias>clientkey</client-key-alias> <token-expiration>10</token-expiration> <client-keystore-type>JKS</client-keystore-type> </credential> </secure-deployment> <secure-deployment name="vanilla.war"> <realm>demo</realm> <resource>vanilla</resource> <public-client>true</public-client> <auth-server-url>https://localhost:8180/auth</auth-server-url> <ssl-required>EXTERNAL</ssl-required> </secure-deployment>
7.2.3) specificity of standalone.xml (part added)
It has to be noted that:
- The authentication URL points to the RH-SSO server
- customer-portal is using oauth2 authorisation code flow, and is confdential. Hence it requires a client secret. The client sceret provided by the customer portal has to be one expected by RH-SSO, otherwise authencation will fail.
7.2.4) apps war deployment
Make sure that the 3 applications (customer-portal.war, product-portal.war and database.war) have been deployed to
If it is not the case, the application will fail wthe error 404 when trying to access it.
7.2.5) Starting Jboss EAP and RH-SSO
Launch JBOSS EAP at port 8080
cd EAP_HOME cd bin sh standalone.sh
Launch RH-SSO at port 8180
cd RH-HOME cd bin sh ./standalone.sh -Djboss.socket.binding.port-offset=100
- Create a new realm demo
- Make sure your 3 apps have been deployed
(This can be observed within the trace log Jboss EAP server)
- create most of the demo infratsucture running the command
You shall be redirected to the RedHat Demo login screen with an URL such as
Thus, you shall be able to log successfully using credentials email@example.com/password and view the list of customers
8) SAML Authentication
Keycloack examples also provides SAML examples.
RH-SSO is seen as the identity provider, whereas the SAML examples are seen as service provider.
8.1) Bringing the SAML infrastructure
GoTo RH-SSO admin console, and select « add realm », and upload the the file testsaml.json from the example/saml directory
8.2) Deploying a SAML Example
The example used is saml/post-with-signature
Some of metadata withinfile examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml needs to be updated at 3 places, with the RH-SSO port in use (8180), otherwise it will fail
<SingleSignOnService signRequest="true" validateResponseSignature="true" requestBinding="POST" bindingUrl="https://localhost:8180/auth/realms/saml-demo/protocol/saml" /> <SingleLogoutService validateRequestSignature="true" validateResponseSignature="true" signRequest="true" signResponse="true" requestBinding="POST" responseBinding="POST" postBindingUrl="https://localhost:8180/auth/realms/saml-demo/protocol/saml" redirectBindingUrl="https://localhost:8180/auth/realms/saml-demo/protocol/saml" />
Once this change has been donce, the applicayion has to be recompiled, and the saml/post-with-signature war deployed into Jboss EAP.
User is selecting URL: https://localhost:8080/sales-post-sig, and will be rediredirected to the SAML-demo login screen
The user has to enter firstname.lastname@example.org/password as credentials and will be redired to the expected sales posted screen.
More to come soon, stay tuned !
- New Keycloak online training - 19 janvier 2022
- Sizing Keycloak or Redhat SSO projects - 8 juin 2021
- Keycloak.X Distribution - 28 janvier 2021