PKI sign-on to CloudForms using RH SSO 7.2 – Part 2 of 2

In the previous post, we looked at configuring SSO 7.2 for mutual TLS, requesting a user certificate that is validated against a configured trust store.

In this post we’ll look at the second half of that task – configuring CloudForms for SAML authentication and enabling the X.509 Browser Flow in SSO.

Read more “PKI sign-on to CloudForms using RH SSO 7.2 – Part 2 of 2”

PKI sign-on to CloudForms using RH SSO 7.2 – Part 1 of 2

(Part 2 is available here!)

With the advent of Public Key Infrastructure across organisations, it became possible to authenticate a user based on the certificate they provide. Red Hat Single Sign On 7.2 is able to authenticate users based on a provided certificate, matching some value from the certificate (e.g. CN, email) against RH SSO’s internal database of users.

When combined with the Security Assertion Markup Language (SAML) authentication out-of-the-box in CloudForms, we can achieve passwordless, certificate-based sign on to CloudForms.

There are three main areas to this configuration::

  1. Configuring RH SSO 7.2 for mutual TLS, requesting a client certificate.
  2. Configuring CloudForms for SAML against RH SSO 7.2.
  3. Enable the X.509 browser authentication flow in RH SSO 7.2.

Step 1 is the focus of this blog post. Steps 2 and 3 will follow in the next post.

Read more “PKI sign-on to CloudForms using RH SSO 7.2 – Part 1 of 2”

Automation of CloudForms appliance setup with Ansible

CloudForms ships as an appliance as a means of greatly minimising the deployment and configuration required. Whilst this deployment method removes a substantial amount of complexity by shipping with all packages and configuration needed to get a working appliance in a very short time, it isn’t entirely without human intervention.

At a minimum you will need to:

  1. Set hostname and network configuration, particularly if you wish to use a static IP address.
  2. Create a new Virtual Management Database (VMDB) and associated Region, or join an existing one.
  3. Configure encryption keys, particularly if you are joining an existing region.
  4. Set up external authentication via IPA, if your deployment method calls for it.
  5. Start the EVM server processes.

These steps can all be performed using the appliance console that ships with the appliance. Unfortunately, this menu-based interface doesn’t lend itself to automation (unless you want to get your hands dirty with expect).

If you’ve got one or two appliances that’s not a big impost. But if you’ve got 5? 10? Then we start to look at Ansible and think “I wonder if I could automate this?”

Turns out, you can!

Read more “Automation of CloudForms appliance setup with Ansible”