User Federation

LDAP User Federation

Red Hat Single Sign-On can validate credentials from LDAP or Active Directory, in this section we will see how to integrate with IdM/FreeIPA.

  • Open a browser window and log in to the FreeIPA administration web console.

  • Create the user robert. Browse to Identity, then Users. Click Add.

ldap users add

  • Fill the form with the following data:

    • User login: robert

    • First name: Robert

    • Last name: Garcia

    • Set a password

ldap add user

  • Click Add.

ldap added user

  • Go to IdentityGroups. Click Add.

ldap add group

  • Add a Non-POSIX group named special_staff. Click Add.

ldap group add
ldap groups list

  • Click IdentityUsers. Click the robert user.

ldap users list

  • Click the User Groups tab. Click Add.

ldap user add to group

  • Add robert to the special_staff group. Click Add.

ldap added user to group
ldap user groups list

  • Open a browser window and log in to the Red Hat Single Sign-On administration web console.

  • Select the Demo realm.

  • Click User Federation.

sso user federation

  • Select ldap as the provider.

sso ldap provider

  • Fill the user federation provider required settings. Click Save.

sso ldap config

  • Click Synchronize all users.

We are using a plain LDAP connection for this workshop. If you’d like to use SSL, use the 636 service port and ldaps instead.
The Bind Credential is the password for the Directory manager account in FreeIPA. This account is created during the installation of FreeIPA and has full administrative privileges over the FreeIPA instance.

  • Add the group Mapper. Click on the Mappers tab. Click Create.

sso ldap create mapper

  • Set group as the Name. Mapper Type group-ldap-mapper. Fill in the remaining data. Click Save.

sso ldap mapper cfg

  • Click Sync LDAP Groups To Keycloak.

  • Check the Groups section to see if the group has been imported successfully.

sso imported group

  • Also, check if the user robert has been imported successfully.

sso imported user

User Storage SPI

External user database store

TODO

External user REST service store

We have an external system that stores and manages user data which is accessible via a REST API.

However, due to certain constraints, we do not want to migrate this existing system to Red Hat Single Sign-On data model. Therefore, we are interested in expanding and integrate our Red Hat Single Sign-On deployment with this external user storage system.

The REST API has been developed using Quarkus and is named jaxrs-user-store. It provides two endpoints:

  • /api/v1/users, which returns a set of all the users in the system.

  • /api/v1/users/{id}, which returns the user that matches the userId with id.

Both endpoints accept GET requests.

The application is designed to be deployed on top of OpenShift. You can deploy it by running the ocp-deploy.sh script or alternatively:

./mvnw install -Dquarkus.kubernetes.deploy=true

Test the application endpoints:

$ http ${APP_HOSTNAME}/api/v1/users

HTTP/1.1 200 OK
Content-Type: application/json
content-length: 731

[
<..>
    {
        "email": "[email protected]",
        "firstName": "Abel",
        "lastName": "Miiii",
        "password": "abelpassword",
        "userId": "5",
        "username": "abel"
    },
    {
        "email": "[email protected]",
        "firstName": "Mao",
        "lastName": "Meow",
        "password": "maopassword",
        "userId": "3",
        "username": "mao"
    }
<..>
]
$ http localhost:8081/api/v1/users/1

HTTP/1.1 200 OK
Content-Type: application/json
content-length: 120

{
    "email": "[email protected]",
    "firstName": "Nata",
    "lastName": "Natilla",
    "password": "natapassword",
    "userId": "1",
    "username": "nata"
}

For extending Red Hat Single Sign-On to connect to the external system, we use the User Storage SPI (Service Provider Interface).

The provider implementation is custom-user-storage-spi and can be deployed in several ways:

  • By extending the Red Hat Single Sign-On image.

  • By mounting a volume with the file.

  • By using a configmap (although this is not recommended as the configmap has a limited size and should be used mainly for storing metadata).

  • By copying it into the pod (which is ephemeral).

  • And others ways as well.

The provider checks the value of the USER_STORAGE_CUSTOM_SPI_TARGET_HOST environment variable in the following format: HOST:PORT or HOST if the port defaults to http/80. The value can be provided as an environment variable in the DeploymentConfig.

Once the environment variable and the package are correctly deployed, we will see the new provider listed under the User Federation section of the Red Hat Single Sign-On administration web console.

  • Click demo-user-provider.

user storage spi provider listed

  • Verify that it is Enabled and click Save.

add new user storage spi
custom user storage spi enabled

  • Click Users. The external storage users should now be loaded into Red Hat Single Sign-On.

users loaded