Example SSO Implementation
In this example, SSO is implemented by exposing three endpoints with SUSE Multi-Linux Manager, and using Keycloak 26.5.3 or later as the identity service provider (IdP).
To set up Single Sign-On (SSO) with SUSE Multi-Linux Manager and Keycloak, you first configure the Keycloak identity provider, obtain its public SAML certificate, and set up the client and users. After that, you configure the SUSE Multi-Linux Manager Server to trust Keycloak.
|
This example is provided for illustrative purposes only. SUSE does not recommend or support third-party identity service providers, and is not affiliated with Keycloak. For Keycloak support, see https://www.keycloak.org/. |
You can install Keycloak directly on your machine, or run it in a container. In this example, we run Keycloak in a Podman container. For more information about installing Keycloak, see the Keycloak documentation at https://www.keycloak.org/guides#getting-started.
1. Setting up the identity service provider (Keycloak)
First, run Keycloak, create a realm, obtain the SAML public certificate, and configure the client.
Install Keycloak in a Podman container, according to the Keycloak documentation.
Run the container using the
-tdargument to ensure the process remains running:podman run -td --name keycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.1.1 start-devSign in to the Keycloak Admin Console as the
adminuser.Create an authentication realm:
In the top-left corner, click the realm selector dropdown (showing
master) and selectManage realms.On the
Manage realmspage, click the Create realm button in the top-right corner.In the
Realm namefield, enter a name (for example,MLM).Click Create.
Obtain the SAML public certificate:
From the left navigation menu, click Realm settings.
Click the
Keystab.Find the active RSA key (with provider
rsa-generated) in the active keys table.Click the Certificate button in that row.
Copy the entire Base64-encoded certificate from the modal that opens. Keep this certificate handy for the server configuration.
Add SUSE Multi-Linux Manager as a Client:
From the left navigation menu, click Clients.
Click Create client.
In the
Client typefield, selectSAML.In the
Client IDfield, enter the SUSE Multi-Linux Manager Metadata endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/metadataClick Next.
In the
Valid redirect URIsfield, enter the SUSE Multi-Linux Manager Assertion Consumer Service (ACS) endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/acsClick Save.
Fine-tune client settings:
Under the
Settingstab, scroll down to theSAML capabilitiessection:
Toggle
Sign assertionstoOn.In the
Signature algorithmfield, selectRSA_SHA1.In the
SAML Signature Key Namefield, selectKey ID.Click Save.
Under the
Keystab:
Toggle
Client signature requiredtoOff.Under the
Advancedtab, scroll down to theFine Grain SAML Endpoint Configurationsection:
In both the
Assertion Consumer Service POST Binding URLandAssertion Consumer Service Redirect Binding URLfields, enter the SUSE Multi-Linux Manager ACS endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/acsIn the
Logout Service POST Binding URLfield, enter the SUSE Multi-Linux Manager SLS endpoint. For example:https://<FQDN_MLM>/rhn/manager/sso/slsIn the
Logout Service Redirect Binding URLfield, enter the root URL of your SUSE Multi-Linux Manager instance. For example:https://<FQDN_MLM>/Click Save.
Configure Client Scope and Mappers:
From the left navigation menu, click Client scopes.
Click
role_listin the list.Click the
Mapperstab, and then click therole listmapper.Toggle
Single Role AttributetoOn, and click Save.Go back to Clients, click your SUSE Multi-Linux Manager client ID (
https://<FQDN_MLM>/rhn/manager/sso/metadata), and click theClient scopestab.Click the dedicated scope (for example,
https://<FQDN_MLM>/rhn/manager/sso/metadata-dedicated).Click Configure a new mapper.
Select
User Attributefrom the list, and configure the mapper with these details:
In the
Namefield, enteruid.In the
Propertyfield, selectusername.In the
SAML Attribute Namefield, enteruid.Click Save.
Create Users:
From the left navigation menu, click Users.
Click Add user.
In the
Usernamefield, enter a username that matches an existing SUSE Multi-Linux Manager user (for example, the administrative user).Click Create.
Click the
Credentialstab, click Set password, set a password for the user, and toggleTemporarytoOff, click Save and confirm by clicking Save password.
2. Setting up the SUSE Multi-Linux Manager server
After Keycloak is ready, configure the SUSE Multi-Linux Manager Server to use single sign-on.
|
Ensure that the users whom you intend to authenticate using SSO already exist in SUSE Multi-Linux Manager. You can create users manually in the SUSE Multi-Linux Manager Web UI, or use the command-line interface or API (using PAM-enabled or passwordless authentication). |
On the SUSE Multi-Linux Manager Server, open the
/etc/rhn/rhn.confconfiguration file.Add the following parameters. Replace
<FQDN_MLM>with the fully qualified domain name of your SUSE Multi-Linux Manager installation,<FQDN_IDP>with the FQDN of your Keycloak server,<REALM>with your realm name (for example,MLM), and<CERTIFICATE>with the SAML public certificate Base64-encoded string obtained from Keycloak in the previous steps:java.sso = true java.sso.onelogin.saml2.debug = true java.sso.onelogin.saml2.sp.entityid = https://<FQDN_MLM>/rhn/manager/sso/metadata java.sso.onelogin.saml2.sp.assertion_consumer_service.url = https://<FQDN_MLM>/rhn/manager/sso/acs java.sso.onelogin.saml2.sp.single_logout_service.url = https://<FQDN_MLM>/rhn/manager/sso/sls java.sso.onelogin.saml2.idp.entityid = http://<FQDN_IDP>:8080/realms/<REALM> java.sso.onelogin.saml2.idp.single_sign_on_service.url = http://<FQDN_IDP>:8080/realms/<REALM>/protocol/saml java.sso.onelogin.saml2.idp.single_logout_service.url = http://<FQDN_IDP>:8080/realms/<REALM>/protocol/saml java.sso.onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE----- <CERTIFICATE> -----END CERTIFICATE----- # Organization Metadata (Optional) java.sso.onelogin.saml2.organization.name = SUSE Multi-Linux Manager java.sso.onelogin.saml2.organization.displayname = SUSE Multi-Linux Manager java.sso.onelogin.saml2.organization.url = https://<FQDN_MLM> java.sso.onelogin.saml2.organization.lang = # Contacts (Optional) java.sso.onelogin.saml2.contacts.technical.given_name = SUSE Multi-Linux Manager Admin java.sso.onelogin.saml2.contacts.technical.email_address = admin@example.com java.sso.onelogin.saml2.contacts.support.given_name = SUSE Multi-Linux Manager Admin java.sso.onelogin.saml2.contacts.support.email_address = admin@example.comSave your changes and restart the spacewalk service to apply them:
mgradm restartNavigate to the SUSE Multi-Linux Manager Web UI. You should be redirected to the Keycloak login screen, and successfully log in back to SUSE Multi-Linux Manager upon authentication.
3. Troubleshooting
If you encounter issues when authenticating with single sign-on, use these steps to diagnose:
-
Verify Logs: Look for SSO errors in
/var/log/rhn/rhn_web_ui.log. Detailed logging is enabled whenjava.sso.onelogin.saml2.debug = trueis set in/etc/rhn/rhn.conf. -
User Not Found: If you see "User not found" or redirection fails after Keycloak authentication, ensure the username in Keycloak matches the username in SUSE Multi-Linux Manager exactly. Users must be pre-created in SUSE Multi-Linux Manager.
-
Signature and certificate errors: If you see "Signature verification failed", verify that the certificate in
java.sso.onelogin.saml2.idp.x509certmatches the active RSA certificate displayed under theKeystab in Keycloak Realm Settings, and ensure thatSign assertionsis toggled toOnin the client settings. -
Invalid Redirect URI: If Keycloak displays "Invalid parameter: redirect_uri" on redirection, verify that
Valid redirect URIsin client settings in Keycloak is set tohttps://<FQDN_MLM>/rhn/manager/sso/acs.