First steps using Redhat Single Sign On (RH-SSO 7.1)

par | Sep 15, 2017 | Gestion des Identités, Sécurité, SSO

1) Overview

This article describes how it is possible to start and bring up a IAM project  (Identity and Access Management) using  RH-SSO 7.1 (Redhat Single Sign On).

The main points tested which are:

  • Installation of IDM solution (RH_SSO)
  • Test of ldap connection
  • Oauth2/OIDC
  • SAML

This article describes all the required steps which have been relevant to perform such an evalution.

The evaluation has been performed on RH 7.4 machine hosted on virtualbox.

Part I – RH-SSO infrastructure installation
2) Install Redhat 7.4 on VirtualBox

This section  describes how it is possible to create and install a RedHat 7.4 Server on a virtualBox machine.

2.1) Download RedHat DVD 7.4
It is possible to download an evaluation image version of the RH 7.4

Note: You should not pick the iso, but the DVD iso image which size is about 4G (to be downloaded)

2.2) VirtualBox Installation

Download and install VirtualBox on your machine.

2.3) Linux 64 Bits Redhat machine creation

Once you have installed Virtualbox, select :

"Machine" -> New
type: Linux
Version: RedHat 64 Bits

Other parameter

  • Memory size: pick at least 2G (4G if you can)
    Note: The memory size parameter can easily be readjusted as needed, later
  • VirtualDisk Creation
    This parameter is critical and non easily adjustable. Therefore, it is advisable to have a good size once created.
    The recommandations are:

    • 20G (at least, and more if you can)
    • Specify an appropriate disk location (you should have created a directory earliar where you want to store all VDI archives)
  • Disk type: VDI
    Disk Size: Dynamically allocated

and click « create »

This will create you a Linux 64 bit machine in the shutdown state

If you were to start the RH Linux Machine, It would fail with « Fatal Error Message » as there is no DISK image to boot on.

2.4) Add CDROM Reader to the Machine
Go to Configuration -> Storage
Pick the CDROM icon to add a CDROM optical reader
Select as CDROM Disk the DVD optical reader.
2.5) Adding Network
Configuration -> Network
Select Nat
2.6) Installing RH7.4 On the VirtualBoxMachine

The machine is ready to boot on the RH7.4 DVD.
You just need to fire up the machine.It will boot, RH 7.4,

During installation, it will ask you for:

  • Root password
  • user and password to be created
  • keyboard
  • date
  • disk location

and the end of the installation, you will obtain a usable RH 7.4 server,available to be used.

2.7) Making the optical disk cdrom accessible locally

Making CDROM locally accessible, will allow you to access locally to the  CDROM packages

Being logged as root, you need to create a cdrom mount point

mkdir /media/cdrom
mount /dev/sr0 / media/cdrom

Note: You should add this entry to the /etc/vfstab, so it can stay permanent, and you don’t have to retype it each time.

The way to configure is described in an article from Redhat
Need to set up yum repository for locally-mounted DVD on Red Hat Enterprise Linux 7

You also need to update the VirtualBox boot order to make  the CDROM no longer the first in the list

goto Machine -> Configuration-> System ,
and update boot order

You can now reboot your system.

Once rebooted,  the packages can be accessible at:

/media/cdrom/packages
2.8) GUI Installation

It is possible to install graphical packages:

Being logged as root, execute the command:

yum groupinstall gnome-desktop x11 fonts

Further information are also available at
How to install a graphical user interface (GUI) for Red Hat Enterprise Linux

3) Installing RH-SSO 7.1

In this section, you need to install RH-SSO that you can obtain as rpm package or zip file.

Go to URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
and select RedHat Single Sign On 7.1

You need to download the following for the evaluation:

we use a zip distribution during our evaluation

mkdir dev
unzip rh-sso-7.1.0.zip

cd rh-sso-7.1.0

The way to start it is

cd bin
sh standalone.sh
  • RH-SSO is started at https://localhost:8080/auth
  • You will be asked to create an admin username and password

More detailed information can be found at:

RH-SSO 7.1 Getting Started Guide
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/getting_started_guide/

4) Installing JBoss EAP and adapters
4.1) Jboss EAP 7 install

Most of the applications and use cases to be tested will also require the installation of Jboss Enterprise Application Platform  7 (EAP 7)

Red Hat JBoss Enterprise Application Platform 7.0.0 

unzip  jboss-eap-7.0.0.zip
cd  jboss-eap-7.0.0
4.2) Adding Jboss adapters

Those adapters are needed to connect RH-SSO and also perform SAML

Pick both adapters that you have download previously, which are available as zip files.

Red Hat Single Sign-On 7.1.0 Client Adapter for JBoss EAP 7
Red Hat Single Sign-On 7.1.0 SAML Adapter for JBoss EAP 7

Go to the JBoss EAP directory and unzip each adapter

4.2.1) EAP adapter

Unzip RH-SSO-7.1.0-eap7-adapter.zip into the root directory of your JBoss EAP 7 distribution.

cd jboss-eap-7.0.0
unzip RH-SSO-7.1.0-eap7-adapter.zip

$ cd bin
$ ./jboss-cli.sh --file=adapter-install-offline.cli

reference:
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/getting_started_guide/securing_a_jboss_servlet_application

4.2.2) SAML adaptor

extract RH-SSO-7.1.0.GA-saml-eap7-adapter.zip into EAP HOME

cd jboss-eap-7.0.0
unzip RH-SSO-7.1.0.GA-saml-eap7-adapter.zip

cd bin
./jboss-cli.sh -c --file=./adapter-install.cli

Reference:
https://github.com/redhat-developer/redhat-sso-quickstarts#jboss-eap

5) Installing  RH-SSO Examples

RH-SSO can be obtained from keycloack example git.

For RH-SSO stability, you should pick version 2.5.X of keycloack

The following requirement are to have handled:

  • Java (8)
  • Maven (>=3.11)
  • git

You need to clone teh workspace, and compile it after.
Following commands allow you to build version 2.5.x

git clone https://github.com/keycloak/keycloak.git

cd keycloak git checkout 2.5.x

To build Keycloak and modules run:

mvn install
Part II  – RH-SSO Examples testing

As the infrastructure is ready, is going to be tested:

  • Test of RH-SSO ldap connection
  • Oauth2/OIDC
  • SAML
6) RH-SSO  –  LDAP  Example
6.1) Deploying an Ldap Server

Keycloack demo example comes with a bundled apache server available at

cd keycloack/examples/ldap

 

The way to run is:

mvn exec:java -Pldap

This commands spawns an embedded apache directory server  at ldap port 10389 with bind DN ou=admin, ou=system and password secret

This ldap instance contains 2 users. It is possible to browse the LDAP DIT using  a ldap browser such as ApacheStudio,  Jexplorer, or even ldapsearch commands. 

6.2) Integrating RH-SSO with Ldap Server

Connect to  RH-SSO  admin console at URL https://localhost:8080/auth

  • Create a new realm called ldap_realm, using the « Add Realm » button
  • Within the ldap_realm, select user federation, and add an ldap provider

The main parameters to be entered for the ldap-realm user federation provider are:

    Edit Mode: Writable
    Vendor: Redhat
    Username LDAP attribute: uid
    RDN LDAP attribute: uid
    UUID LDAP attribute: EntryUUID
    Connection URL: https://localhost:10389
    Users DN: ou=people,dc=keycloack,dc=org
    Authentication Type: simple
    Bind DN:  uid=admin, ou=system
    Bind Credential: secret

Once you have entered those parameters, you need to click « Save ».
You can thus  synchronize all the users clicking on the button « Synchronize all users »

6.3) LDAP User Authenticating within RH-SSO User Portal

Connect to following URL
https://localhost:8080/auth/realms/keyclock_ldap/account

you shall obtain the LDAP-realm authentication  portal

You can connect with user bwilson/password for example to test teh authentication.

This steps validates that you are logged aginst LDAP throughout RH-SSO.

6.4) Pointers

It also possible to refer to following pointers:

7) RH-SSO – Oauth2 Example
7.1) customer and product apps

Oauth2 examples can be found at URL

This example is based on customer-app, and product app, and a database app.

The customer is authenticating against RH-SSO using Authorisation code flow, and display the list of customers

The product app is authenticating against the database using signed JWT authentication mechanism.

Those apps are Java based applications, and require to be run against the Java Enterprise Application Platform 7

7.2) Configuration
7.2.1) description

Most of the configuration explanations can be found in:

7.2.2) avoiding port collision

Currently we have both servers (RH-SSO server) and Jboss EAP server configured and installed on teh same machine. One of them has to be offset for its port binding address (by default 8080), otherwise there would be a port collision

So we pick to have:

  • JBOSS EAP7: port 8080
  • RH-SSO: port 8080

Aqs a consequnce, it means that any reference from JBoss applications to RH-SSO server will have to be remapped from 8080 to 8180.

standalone.xml update

This is exactly what has to be added/updated in the file
EAP_HOME/standalone/configuration/standalone.xml

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">

<secure-deployment name="database.war">
<realm>demo</realm>
<resource>database-service</resource>
<bearer-only>true</bearer-only>
<auth-server-url>https://localhost:8180/auth</auth-server-url>
</secure-deployment>

<secure-deployment name="customer-portal.war">
<realm>demo</realm>
<resource>customer-portal</resource>
<auth-server-url>https://localhost:8180/auth</auth-server-url>
<credential name="secret">e761dee1-6f0b-4f0f-ba12-8e23e0886c84</credential>
</secure-deployment>

</secure-deployment>
<secure-deployment name="product-portal.war">
<realm>demo</realm>
<resource>product-portal</resource>
<auth-server-url>https://localhost:8180/auth</auth-server-url>
<credential name="jwt">
<client-key-password>keypass</client-key-password>
<client-keystore-file>classpath:keystore-client.jks</client-keystore-file>
<client-keystore-password>storepass</client-keystore-password>
<client-key-alias>clientkey</client-key-alias>
<token-expiration>10</token-expiration>
<client-keystore-type>JKS</client-keystore-type>
</credential>
</secure-deployment>

<secure-deployment name="vanilla.war">
<realm>demo</realm>
<resource>vanilla</resource>
<public-client>true</public-client>
<auth-server-url>https://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>

</secure-deployment>
7.2.3)  specificity of standalone.xml (part added)

It has to be noted that:

  • The authentication URL points to the RH-SSO server
<auth-server-url>https://localhost:8180/auth</auth-server-url>
  • customer-portal is using oauth2 authorisation code flow, and is confdential. Hence it requires a client secret. The client sceret provided by the customer portal has to be one expected by RH-SSO, otherwise authencation will fail.
<credential name="secret">e761dee1-6f0b-4f0f-ba12-8e23e0886c84</credential>
7.2.4) apps war deployment

Make sure that the 3 applications (customer-portal.war, product-portal.war and database.war) have been deployed to

EAP_HOME/standalone/deployment

If it is not the case, the application will fail wthe error 404 when trying to access it.

7.2.5)  Starting Jboss EAP and RH-SSO

Launch JBOSS EAP at port 8080

cd EAP_HOME
cd bin
sh standalone.sh

Launch RH-SSO at port 8180

cd RH-HOME
cd bin
sh ./standalone.sh -Djboss.socket.binding.port-offset=100
7.2.6) Deployment
  • Create a  new realm demo
  • Make sure your 3 apps have been deployed
    (This can be observed within the trace log Jboss EAP server)
  • create most of the demo infratsucture running the command 
    mvn wildfly:deploy
    7.3) Test

Goto URL
https://localhost:8080/customer-portal/customers/view.jsp

You shall be redirected to the RedHat Demo login screen with an URL such as

https://localhost:8180/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=555e1730-603d-4b95-97f5-b2827b967cb0&login=true&scope=openid

Thus, you shall be able to log successfully using credentials bburke@redhat.com/password and view the list of customers

8) SAML Authentication

Keycloack examples also provides SAML examples.

RH-SSO is seen as the identity provider, whereas the SAML examples  are seen as service provider.

8.1) Bringing the SAML infrastructure

GoTo RH-SSO admin console, and select « add realm », and upload the the file testsaml.json from the example/saml directory

8.2) Deploying a SAML Example

The example used is saml/post-with-signature

Some of metadata withinfile  examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml needs to be updated at 3 places, with the RH-SSO port in use (8180), otherwise it will fail

<SingleSignOnService signRequest="true"
validateResponseSignature="true"
requestBinding="POST"
bindingUrl="https://localhost:8180/auth/realms/saml-demo/protocol/saml"
/>

<SingleLogoutService
validateRequestSignature="true"
validateResponseSignature="true"
signRequest="true"
signResponse="true"
requestBinding="POST"
responseBinding="POST"
postBindingUrl="https://localhost:8180/auth/realms/saml-demo/protocol/saml"
redirectBindingUrl="https://localhost:8180/auth/realms/saml-demo/protocol/saml"
/>

Once this change has been donce, the applicayion has to be recompiled, and the saml/post-with-signature war deployed into Jboss EAP.

8.3) Test

User is selecting URL: https://localhost:8080/sales-post-sig, and will be rediredirected to the SAML-demo login screen

The user has to enter bburke@redhat.com/password as credentials and will be redired to the expected sales posted screen.

More to come soon, stay tuned !

 

janua
Les derniers articles par janua (tout voir)