Authentication Methods

Authentication Via PAM

SUSE Manager supports network-based authentication systems via Pluggable Authentication Modules (PAM). PAM is a suite of libraries that allows you to integrate SUSE Manager with a centralized authentication mechanism, eliminating the need to remember multiple passwords. SUSE Manager supports LDAP, Kerberos, and other network-based authentication systems via PAM.

Enable PAM

  1. Create a PAM service file. PAM service files are located in /etc/pam.d/susemanager by default. Enforce its use by adding this line to /etc/rhn/rhn.conf:

    pam_auth_service = susemanager
    This assumes the PAM service file is named susemanager.
  2. In the SUSE Manager Web UI, navigate to Create User and enable a new or existing user to authenticate with PAM

  3. Check the Pluggable Authentication Modules (PAM) checkbox. It is below the password and password confirmation fields.

  4. To authenticate a SLES system against Kerberos, add these lines to /etc/pam.d/susemanager:

    auth     include        common-auth
    account  include        common-account
    password include        common-password
    session  include        common-session

    To authenticate a Red Hat Enterprise Linux system against Kerberos, add these lines to /etc/pam.d/susemanager:

auth        required
auth        sufficient no_user_check
auth        required
account     required no_user_check


YaST can be used to configure PAM. You will need to install the yast2-ldap-client and yast2-kerberos-client packages. For more information about configuring PAM, see the SUSE Linux Enterprise Server Security Guide This is a generic example that will also work for other network-based authentication methods.

+ .Changing Passwords IMPORTANT: Changing the password on the SUSE Manager Web UI changes only the local password on the SUSE Manager Server. If PAM is enabled for that user, the password might not be used at all. In the above example, for instance, the Kerberos password will not be changed.

Authentication with eDirectory and PAM

  1. First check to ensure eDirectory authentication is working with your current OS for example:

    getent passwd
  2. If users are returned from eDirectory then create the /etc/pam.d/susemanager and add the following content:

    auth     include        common-auth
    account  include        common-account
    password include        common-password
    session  include        common-session
  3. Add these lines to the SUSE Manager configuration file at /etc/rhn/rhn.conf:

    pam_auth_service = susemanager

You can now create users with the same ID used by eDirectory, and check the Use PAM checkbox in the SUSE Manager Web UI.

Example of Quest VAS Active Directory Authentication Template
auth       required
auth       sufficient no_user_check
auth       requisite echo_return
auth       required
account    required no_user_check

Authentication Via Single Sign-On (SSO)

This feature is provided as a technical preview. It is not supported for use in production environments.

SUSE Manager supports single sign-on (SSO) by implementing the Security Assertion Markup Language (SAML) 2 protocol.

Single sign-on is an authentication process that allows a user to access multiple applications with one set of credentials. SAML is an XML-based standard for exchanging authentication and authorization data. A SAML identity service provider (IdP) provides authentication and authorization services to service providers (SP), such as SUSE Manager. SUSE Manager exposes three endpoints which must be enabled for single sign-on.

SSO in SUSE Manager supports:

  • Log in with SSO.

  • Log out with service provider-initiated single logout (SLO), and Identity service provider single logout service (SLS).

  • Assertion and nameId encryption.

  • Assertion signatures.

  • Message signatures with AuthNRequest, LogoutRequest, and LogoutResponses.

  • Enable an Assertion consumer service endpoint.

  • Enable a single logout service endpoint.

  • Publish the SP metadata (which can be signed).

SSO in SUSE Manager does not support:

  • Product choosing and implementation for the Identity Service Provider (IdP).

  • SAML support for other products (check with the respective product documentation).


Before you begin, you will need to have configured an external Identity Service Provider with these parameters. Check your IdP documentation for instructions.

You will need these endpoints:

Your IdP must have a SAML:Attribute containing the username of the IdP user domain, called uid. The uid attribute passed in the SAML:Attribute must be created in the SUSE Manager user base before you activate single sign-on.

After the authentication with the IdP using the user orgadmin is successful, you will be logged in into SUSE Manager as the orgadmin user, provided that the orgadmin user exists in SUSE Manager.

Enable SOO

Using SSO is mutually exclusive with other types of authentication: it is either enabled or disabled. SSO is disabled by default.

Procedure: Enabling SSO
  1. If your users do not yet exist in SUSE Manager, create them first.

  2. Edit /etc/rhn/rhn.conf and add this line at the end of the file:

    java.sso = true
  3. Find the parameters you want to customize in /usr/share/rhn/config-defaults/rhn_java_sso.conf. Insert the parameters you want to customize into /etc/rhn/rhn.conf and prefix them with java.sso..

    For example, in /usr/share/rhn/config-defaults/rhn_java_sso.conf find:

    onelogin.saml2.sp.assertion_consumer_service.url = https://YOUR-PRODUCT-HOSTNAME-OR-IP/rhn/manager/sso/acs

    In order to customize it, create the corresponding option in /etc/rhn/rhn.conf by prefixing the option name with java.sso.:

    java.sso.onelogin.saml2.sp.assertion_consumer_service.url = https://YOUR-PRODUCT-HOSTNAME-OR-IP/rhn/manager/sso/acs

    To find all the occurrences you need to change, search in the file for the placeholders YOUR-PRODUCT and `YOUR-IDP-ENTITY. Every parameter comes with a brief explanation of what it is meant for.

  4. Restart the spacewalk service to pick up the changes:

    spacewalk-service restart

When you visit the SUSE Manager URL, you will be redirected to the IdP for SSO where you will be requested to authenticate. Upon successful authentication, you will be redirected to the SUSE Manager Web UI, logged in as the authenticated user. If you encounter problems with logging in using SSO, check the SUSE Manager logs for more information.