Configure Red Hat SSO with Microsoft Entra ID as a Federated Identity Provider

This guide demonstrates how to install and configure Red Hat SSO (Keycloak) into an Azure Red Hat OpenShift (ARO) cluster. It will also also configure the ARO cluster to use the SSO server as a mechanism to login by way of the OIDC protocol. In addition, Red Hat SSO can federate user identities with other identity providers. We will use Azure AD as an additional identity provider to show how this could be done.

This guide will walk through the following steps:

1. Install Red Hat SSO into an ARO cluster
2. Configure Azure AD
3. Configure Azure AD as an identity provider in Red Hat SSO
4. Integrate ARO with Red Hat SSO for authentication

Before you Begin

1. Please review the Official Red Hat SSO Operator Documentation on this topic.
2. Please ensure you have stood up an ARO cluster. See the Quick Start for to get started if needed.

NOTE: there is also a Keycloak operator which is community supported. This is not covered as part of this documentation, however if desired, you may use the Keycloak operator instead. Please understand that the Keycloak operator does not have the same functionality and offers different API schemas and a different set of custom resources. For more information on the Keycloak operator, please visit https://www.keycloak.org/operator/installation .

Set the Environment

Set the environment variables needed in the following steps:

Deploy the Operator

Create a project where your operator will be installed to:

To install, first create an Operator Group for the operator:

Next, install the subscription:

Deploy the Database (Optional)

It may be desirable to keep the database management to include backups and persistence outside of the OpenShift cluster. If this is a desired configuration, then you can create an Azure Postgres DB instance to store your Red Hat SSO data.

For reference, please see https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-configure-privatelink-cli .

First, create the database:

NOTE Below is only a sample, be sure to replace arguments with your desired options.

Create a private endpoint to restrict network access to private connectivity only:

Configure the private DNS zone for the private link connection:

Retrieve the private IP from the private link connection:

Create the DNS records for the private link connection:

Deploy the Server

With External Database

If you deployed an external database , then you can create the server and use the existing database. Otherwise proceed to creating the server with an internal database .

1. Create the secret with the credential information:

2. Deploy the server:

With Internal Database

Be sure to skip this step if you deployed an external database .

If you are deploying the server using an internal database, you can simply deploy the resource as follows which will create the server as well as an instance of PostgreSQL within your cluster as the backend database for the server:

Retrieve Information About Red Hat SSO Installation

IMPORTANT: this sets environment variables based on the installation that are needed in future steps.

Configure Red Hat SSO

Configure Red Hat SSO as an OIDC Identity Provider for ARO (UI Method)

This method walks you through configuring Red Hat SSO as an OIDC provider by using the user interface. If you would like to control your configuration via Kubernetes custom resources, please review the CRD Method instead.

1. Login to the host from the ADMIN_CONSOLE environment variable set in the previous step using the ADMIN_USERNAME and ADMIN_PASSWORD:

2. Add a new realm by navigating to the top left corner, hovering over the Master realm (default) and clicking Add realm:

3. Enter your desired realm name and make note of it, as it will be used in the URLs for this realm. Be sure that enabled is set to ON and then click Create:

4. Create a new client for OIDC authentication by navigating to Clients > Create and input your Client ID. Also make sure that the Client Protocol is set to openid-connect. Make note of the client ID as it will be used when configuring ARO to authenticate against the Red Hat SSO server. Once done, click Save:

5. Configure the new client by setting the following values in the Settings tab. Be sure to Save before heading to the next step as these settings will create extra tabs in the UI for configuration:

• Login Theme: rh-sso
• Access Type: confidential
• Implicit Flow Enabled: ON
• Service Accounts Enabled: ON
• Valid Redirect URIs: <Value of $CALLBACK_URL_BASE from above>/ui. Note that the /ui is a custom unique suffix that is tied to the identity provider resource
• Web Origins: /*

6. Ensure the Credentials tab has the following settings. Be sure to capture the Secret value for use in the next step:

• Client Authenticator: Client Id and Secret
• Secret: <This secret is used to configure the IDP in OpenShift>. Note that the image below is redacted.

7. Create the client secret. This is needed for the OAuth OpenShift resource to correctly create the Red Hat SSO IDP as an OIDC provider:

8. Create a user for authentication by navigating to Users > Add User, fill in the information and click Save. Ensure this user is Enabled:

9. Set a password for the user in the Credentials tab for the user you created. Be sure Temporary is set to OFF and then click Set Password:

Configure Red Hat SSO as an OIDC Identity Provider for ARO (CRD Method)

This method walks you through configuring Red Hat SSO as an OIDC provider by using native Kubernetes CRDs. If you would like to control your configuration via the user interface instead, please review the UI Method .

1. Create the realm:

2. Create the client:

3. Create the client secret. This is needed for the OAuth OpenShift resource to correctly create the Red Hat SSO IDP as an OIDC provider:

4. Create a user for authentication:

Configure OpenShift

Configure OAuth Resource

If you used the UI Method then you can update your OAuth resource as follows. Take note that if you have other identity providers configured here, you will want to ensure that you only add a new identity provider to the YAML rather than replace it.

If you used the CRD Method then you can update your OAuth resource as follows. Take note that if you have other identity providers configured here, you will want to ensure that you only add a new identity provider to the YAML rather than replace it.

Test Login to OpenShift

IMPORTANT It takes a few minutes for the above configuration to be applied to the cluster. This is because the authentication operator has to reconfigure and reconcile the pods that are responsible for authentication to the cluster.

In a web browser, navigate to the Azure Red Hat OpenShift login page. You should have this value stored in the environment as the AZ_CONSOLE variable from this step .

NOTE The below image shows both the crd and ui profiles as this documentation was put together while doing both side-by-side. You should see one or the other.

Select the appropriate provider, and input your username and password:

Congratulations, you are now logged into the OpenShift Console with your user! Let’s take a look at the identities in the cluster:

Just a reminder that you only have Developer permissions when logged in at this point. If you need this user to have elevated permissions within OpenShift, you can use standard Kubernetes RBAC procedures to assign permissions to your user.

Configure Azure AD

1. Login to the Red Hat SSO UI, navigate to your realm, and select Identity Providers > Add Provider > Microsoft:

2. Capture the Redirect URI from this screen. You will need it to register Red Hat SSO as an application in Azure AD. Once you have captured the URI, leave this screen up while we configure Azure AD:

3. Register an application in Azure AD for Red Hat SSO .
   Be sure to use the redirect URI captured in the last step when setting this up. Also be sure to take note of the client ID and client secret as those will be used to finish configuration in Red Hat SSO.

4. Enable optional claims and enable necessary Microsoft Graph permissions .

5. Input the client ID and client secret from the application registration into the identity provider:

Test Login to OpenShift with Azure AD Credentials

In a web browser, navigate to the Azure Red Hat OpenShift login page. You should have this value stored in the environment as the AZ_CONSOLE variable from this step .

NOTE The below image shows both the crd and ui profiles as this documentation was put together while doing both side-by-side. You should see one or the other.

Select the appropriate provider. You should now see an option to login with your Microsoft credentials:

Congratulations, you are now logged into the OpenShift Console with your Azure AD user, using Red Hat SSO as a federated identity source! Let’s take a look at the identities in the cluster:

Just a reminder that you only have Developer permissions when logged in at this point. If you need this user to have elevated permissions within OpenShift, you can use standard Kubernetes RBAC procedures to assign permissions to your user.