Authentication With Single Sign-On (SSO)

SUSE Multi-Linux Manager supports single sign-on (SSO) by implementing the Security Assertion Markup Language (SAML) 2 protocol.

Single sign-on is an authentication process that allows a user to access multiple applications with one set of credentials. SAML is an XML-based standard for exchanging authentication and authorization data. A SAML identity service provider (IdP) provides authentication and authorization services to service providers (SP), such as SUSE Multi-Linux Manager. SUSE Multi-Linux Manager exposes three endpoints which must be enabled for single sign-on.

SSO in SUSE Multi-Linux Manager supports:

Log in with SSO.
Log out with service provider-initiated single logout (SLO), and Identity service provider single logout service (SLS).
Assertion and nameId encryption.
Assertion signatures.
Message signatures with AuthNRequest, LogoutRequest, and LogoutResponses.
Enable an Assertion consumer service endpoint.
Enable a single logout service endpoint.
Publish the SP metadata (which can be signed).

SSO in SUSE Multi-Linux Manager does not support:

Product choosing and implementation for the identity service provider (IdP).
SAML support for other products (check with the respective product documentation).

For an example implementation of SSO, see Example SSO Implementation.

If you change from the default authentication method to single sign-on, the new SSO credentials apply only to the Web UI. Client tools such as mgr-sync or spacecmd continue to work with the default authentication method only.

1. Prerequisites

Before you begin, you need to have configured an external identity service provider with these parameters. Check your IdP documentation for instructions.

The mapping between the IdP user and the SUSE Multi-Linux Manager user is specified in a SAML:Attribute. The SAML:Attribute must be configured in the IdP and must be passed to SUSE Multi-Linux Manager in the SAML authentication. The attribute must be named uid and must contain the SUSE Multi-Linux Manager user mapped to it after login. The SUSE Multi-Linux Manager must be created before you activate single sign-on.

You need these endpoints:

Assertion consumer service (or ACS): an endpoint to accept SAML messages to establish a session into the Service Provider. The endpoint for ACS in SUSE Multi-Linux Manager is: https://server.example.com/rhn/manager/sso/acs
Single logout service (or SLS): an endpoint to initiate a logout request from the IdP. The endpoint for SLS in SUSE Multi-Linux Manager is: https://server.example.com/rhn/manager/sso/sls
Metadata: an endpoint to retrieve SUSE Multi-Linux Manager metadata for SAML. The endpoint for metadata in SUSE Multi-Linux Manager is: https://server.example.com/rhn/manager/sso/metadata

After the authentication with the IdP using the user orgadmin is successful, you are logged in to SUSE Multi-Linux Manager as the orgadmin user, provided that the orgadmin user exists in SUSE Multi-Linux Manager.

2. Enable SSO

Using SSO is mutually exclusive with other types of authentication: it is either enabled or disabled. SSO is disabled by default.

Use mgrctl term before running steps inside the server container.

Procedure: Enabling SSO

If your users do not yet exist in SUSE Multi-Linux Manager, create them first.
Edit /etc/rhn/rhn.conf and add this line at the end of the file:
```
java.sso = true
```
Find the parameters you want to customize in /usr/share/rhn/config-defaults/rhn_java_sso.conf. Insert the parameters you want to customize into /etc/rhn/rhn.conf and prefix them with java.sso. For example, in /usr/share/rhn/config-defaults/rhn_java_sso.conf find:
```
onelogin.saml2.sp.assertion_consumer_service.url = https://YOUR-PRODUCT-HOSTNAME-OR-IP/rhn/manager/sso/acs
```
To customize it, create the corresponding option in /etc/rhn/rhn.conf by prefixing the option name with java.sso.:
```
java.sso.onelogin.saml2.sp.assertion_consumer_service.url = https://YOUR-PRODUCT-HOSTNAME-OR-IP/rhn/manager/sso/acs
```
To find all the occurrences you need to change, search in the file for the placeholders YOUR-PRODUCT and YOUR-IDP-ENTITY. Every parameter comes with a brief explanation of what it is meant for.
Restart the spacewalk service to pick up the changes:
```
mgradm restart
```

When you visit the SUSE Multi-Linux Manager URL, you are redirected to the IdP for SSO where you are requested to authenticate. Upon successful authentication, you are redirected to the SUSE Multi-Linux Manager Web UI, logged in as the authenticated user. If you encounter problems with logging in using SSO, check the SUSE Multi-Linux Manager logs for more information.