示例 SSO 实现
In this example, SSO is implemented by exposing three endpoints with SUSE Multi-Linux Manager, and using Keycloak 26.5.3 or later as the identity service provider (IdP).
To set up Single Sign-On (SSO) with SUSE Multi-Linux Manager and Keycloak, you first configure the Keycloak identity provider, obtain its public SAML certificate, and set up the client and users. After that, you configure the SUSE Multi-Linux Manager Server to trust Keycloak.
|
此示例仅用于说明目的。SUSE 不建议也不支持第三方身份服务提供者,并且与 Keycloak 不存在从属关系。有关 Keycloak 支持信息,请参见 https://www.keycloak.org/。 |
可以直接在您的计算机上安装 Keycloak,或者在容器中运行 Keycloak。此示例在 Podman 容器中运行 Keycloak。有关安装 Keycloak 的详细信息,请参见 https://www.keycloak.org/guides#getting-started 上的 Keycloak 文档。
1. Setting up the identity service provider (Keycloak)
First, run Keycloak, create a realm, obtain the SAML public certificate, and configure the client.
根据 Keycloak 文档所述在 Podman 容器中安装 Keycloak。
Run the container using the
-tdargument to ensure the process remains running:podman run -td --name keycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.1.1 start-devSign in to the Keycloak Admin Console as the
adminuser.Create an authentication realm:
In the top-left corner, click the realm selector dropdown (showing
master) and selectManage realms.On the
Manage realmspage, click the Create realm button in the top-right corner.In the
Realm namefield, enter a name (for example,MLM).单击 创建。
Obtain the SAML public certificate:
From the left navigation menu, click Realm settings.
Click the
Keystab.Find the active RSA key (with provider
rsa-generated) in the active keys table.Click the Certificate button in that row.
Copy the entire Base64-encoded certificate from the modal that opens. Keep this certificate handy for the server configuration.
Add SUSE Multi-Linux Manager as a Client:
From the left navigation menu, click Clients.
Click Create client.
In the
Client typefield, selectSAML.In the
Client IDfield, enter the SUSE Multi-Linux Manager Metadata endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/metadataClick Next.
In the
Valid redirect URIsfield, enter the SUSE Multi-Linux Manager Assertion Consumer Service (ACS) endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/acs单击 保存。
Fine-tune client settings:
Under the
Settingstab, scroll down to theSAML capabilitiessection:
Toggle
Sign assertionstoOn.In the
Signature algorithmfield, selectRSA_SHA1.In the
SAML Signature Key Namefield, selectKey ID.Click Save.
Under the
Keystab:
Toggle
Client signature requiredtoOff.Under the
Advancedtab, scroll down to theFine Grain SAML Endpoint Configurationsection:
In both the
Assertion Consumer Service POST Binding URLandAssertion Consumer Service Redirect Binding URLfields, enter the SUSE Multi-Linux Manager ACS endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/acsIn the
Logout Service POST Binding URLfield, enter the SUSE Multi-Linux Manager SLS endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/slsIn the
Logout Service Redirect Binding URLfield, enter the root URL of your SUSE Multi-Linux Manager instance. For example:https://<FQDN_MLM>/Click Save.
Configure Client Scope and Mappers:
From the left navigation menu, click Client scopes.
Click
role_listin the list.Click the
Mapperstab, and then click therole listmapper.Toggle
Single Role AttributetoOn, and click Save.Go back to Clients, click your SUSE Multi-Linux Manager client ID (
https://<FQDN_MLM>/rhn/manager/sso/metadata), and click theClient scopestab.Click the dedicated scope (for example,
https://<FQDN_MLM>/rhn/manager/sso/metadata-dedicated).Click Configure a new mapper.
Select
User Attributefrom the list, and configure the mapper with these details:
In the
Namefield, enteruid.In the
Propertyfield, selectusername.In the
SAML Attribute Namefield, enteruid.单击 保存。
Create Users:
From the left navigation menu, click Users.
Click Add user.
In the
Usernamefield, enter a username that matches an existing SUSE Multi-Linux Manager user (for example, the administrative user).单击 创建。
Click the
Credentialstab, click Set password, set a password for the user, and toggleTemporarytoOff, click Save and confirm by clicking Save password.
2. Setting up the SUSE Multi-Linux Manager server
After Keycloak is ready, configure the SUSE Multi-Linux Manager Server to use single sign-on.
|
Ensure that the users whom you intend to authenticate using SSO already exist in SUSE Multi-Linux Manager. You can create users manually in the SUSE Multi-Linux Manager Web UI, or use the command-line interface or API (using PAM-enabled or passwordless authentication). |
On the SUSE Multi-Linux Manager Server, open the
/etc/rhn/rhn.confconfiguration file.Add the following parameters. Replace
<FQDN_MLM>with the fully qualified domain name of your SUSE Multi-Linux Manager installation,<FQDN_IDP>with the FQDN of your Keycloak server,<REALM>with your realm name (for example,MLM), and<CERTIFICATE>with the SAML public certificate Base64-encoded string obtained from Keycloak in the previous steps:java.sso = true java.sso.onelogin.saml2.debug = true java.sso.onelogin.saml2.sp.entityid = https://<FQDN_MLM>/rhn/manager/sso/metadata java.sso.onelogin.saml2.sp.assertion_consumer_service.url = https://<FQDN_MLM>/rhn/manager/sso/acs java.sso.onelogin.saml2.sp.single_logout_service.url = https://<FQDN_MLM>/rhn/manager/sso/sls java.sso.onelogin.saml2.idp.entityid = http://<FQDN_IDP>:8080/realms/<REALM> java.sso.onelogin.saml2.idp.single_sign_on_service.url = http://<FQDN_IDP>:8080/realms/<REALM>/protocol/saml java.sso.onelogin.saml2.idp.single_logout_service.url = http://<FQDN_IDP>:8080/realms/<REALM>/protocol/saml java.sso.onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE----- <CERTIFICATE> -----END CERTIFICATE----- # Organization Metadata (Optional) java.sso.onelogin.saml2.organization.name = SUSE Multi-Linux Manager java.sso.onelogin.saml2.organization.displayname = SUSE Multi-Linux Manager java.sso.onelogin.saml2.organization.url = https://<FQDN_MLM> java.sso.onelogin.saml2.organization.lang = # Contacts (Optional) java.sso.onelogin.saml2.contacts.technical.given_name = SUSE Multi-Linux Manager Admin java.sso.onelogin.saml2.contacts.technical.email_address = admin@example.com java.sso.onelogin.saml2.contacts.support.given_name = SUSE Multi-Linux Manager Admin java.sso.onelogin.saml2.contacts.support.email_address = admin@example.comSave your changes and restart the spacewalk service to apply them:
mgradm restartNavigate to the SUSE Multi-Linux Manager Web UI. You should be redirected to the Keycloak login screen, and successfully log in back to SUSE Multi-Linux Manager upon authentication.
3. 查错
If you encounter issues when authenticating with single sign-on, use these steps to diagnose:
-
Verify Logs: Look for SSO errors in
/var/log/rhn/rhn_web_ui.log. Detailed logging is enabled whenjava.sso.onelogin.saml2.debug = trueis set in/etc/rhn/rhn.conf. -
User Not Found: If you see "User not found" or redirection fails after Keycloak authentication, ensure the username in Keycloak matches the username in SUSE Multi-Linux Manager exactly. Users must be pre-created in SUSE Multi-Linux Manager.
-
Signature and certificate errors: If you see "Signature verification failed", verify that the certificate in
java.sso.onelogin.saml2.idp.x509certmatches the active RSA certificate displayed under theKeystab in Keycloak Realm Settings, and ensure thatSign assertionsis toggled toOnin the client settings. -
Invalid Redirect URI: If Keycloak displays "Invalid parameter: redirect_uri" on redirection, verify that
Valid redirect URIsin client settings in Keycloak is set tohttps://<FQDN_MLM>/rhn/manager/sso/acs.