In the previous post, we looked at configuring SSO 7.2 for mutual TLS, requesting a user certificate that is validated against a configured trust store.
In this post we’ll look at the second half of that task – configuring CloudForms for SAML authentication and enabling the X.509 Browser Flow in SSO.
Read more “PKI sign-on to CloudForms using RH SSO 7.2 – Part 2 of 2”
(Part 2 is available here!)
With the advent of Public Key Infrastructure across organisations, it became possible to authenticate a user based on the certificate they provide. Red Hat Single Sign On 7.2 is able to authenticate users based on a provided certificate, matching some value from the certificate (e.g. CN, email) against RH SSO’s internal database of users.
When combined with the Security Assertion Markup Language (SAML) authentication out-of-the-box in CloudForms, we can achieve passwordless, certificate-based sign on to CloudForms.
There are three main areas to this configuration::
- Configuring RH SSO 7.2 for mutual TLS, requesting a client certificate.
- Configuring CloudForms for SAML against RH SSO 7.2.
- Enable the X.509 browser authentication flow in RH SSO 7.2.
Step 1 is the focus of this blog post. Steps 2 and 3 will follow in the next post.
Read more “PKI sign-on to CloudForms using RH SSO 7.2 – Part 1 of 2”
CloudForms ships as an appliance as a means of greatly minimising the deployment and configuration required. Whilst this deployment method removes a substantial amount of complexity by shipping with all packages and configuration needed to get a working appliance in a very short time, it isn’t entirely without human intervention.
At a minimum you will need to:
- Set hostname and network configuration, particularly if you wish to use a static IP address.
- Create a new Virtual Management Database (VMDB) and associated Region, or join an existing one.
- Configure encryption keys, particularly if you are joining an existing region.
- Set up external authentication via IPA, if your deployment method calls for it.
- Start the EVM server processes.
These steps can all be performed using the appliance console that ships with the appliance. Unfortunately, this menu-based interface doesn’t lend itself to automation (unless you want to get your hands dirty with expect).
If you’ve got one or two appliances that’s not a big impost. But if you’ve got 5? 10? Then we start to look at Ansible and think “I wonder if I could automate this?”
Turns out, you can!
Read more “Automation of CloudForms appliance setup with Ansible”