IWA alternative on Linux RHEL 8

ayouuuuub

New Member
Joined
Oct 27, 2023
Messages
4
Reaction score
0
Credits
47
Im having a windows server configured with an adfs, which is used as Idp with saml in keycloak for my application, then I'm using adfs Device authentication, so I can login to my apps using my session credentials, on windows it works fine, I want to do the same from a Linux rhel 8 workstation, what is the best approach to do that? I already configured sssd and Pam so I can login with ad users on GUI but I'm missing the part to map the session credentials to adfs.
 


To enable Single Sign-On (SSO) with ADFS and SAML from a Linux (RHEL 8) workstation, you'll need to use SAML-based authentication. Since you've already configured SSSD and PAM for user authentication, the main task remaining is to set up SAML authentication with ADFS. Here's a high-level overview of the steps you need to follow:

Install and Configure SAML Authentication Software:

You need to install a SAML client library and configure it to work with your ADFS server. The most commonly used library is mod_auth_mellon for Apache. If you're using a different web server or application, there might be alternative libraries or configurations.

Install mod_auth_mellon:

sudo dnf install mod_auth_mellon
Configure mod_auth_mellon:

Edit the mod_auth_mellon configuration file. This file may be located at /etc/httpd/conf.d/mellon.conf:

sudo nano /etc/httpd/conf.d/mellon.conf
Here's a basic configuration:

<Location /your-sso-endpoint>
AuthType "Mellon"
MellonSPPrivateKeyFile /etc/httpd/sso/your-sp-key.key
MellonSPCertFile /etc/httpd/sso/your-sp-cert.crt
MellonIdPMetadata /etc/httpd/sso/adfs-metadata.xml
MellonEndpointPath /your-sso-endpoint
MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
MellonValid 1
Mellonsecure 1
</Location>
Modify the paths and options according to your setup.

Download ADFS Metadata:

Download the ADFS metadata XML file and place it in the location specified in the Mellon configuration. You can usually access the metadata via a URL like https://your-adfs-server/FederationMetadata/2007-06/FederationMetadata.xml.

Enable and Start Apache:

Enable and start the Apache web server, which is configured to use mod_auth_mellon.

sudo systemctl enable httpd
sudo systemctl start httpd
 
Last edited:
To enable Single Sign-On (SSO) with ADFS and SAML from a Linux (RHEL 8) workstation, you'll need to use SAML-based authentication. Since you've already configured SSSD and PAM for user authentication, the main task remaining is to set up SAML authentication with ADFS. Here's a high-level overview of the steps you need to follow:

Install and Configure SAML Authentication Software:

You need to install a SAML client library and configure it to work with your ADFS server. The most commonly used library is mod_auth_mellon for Apache. If you're using a different web server or application, there might be alternative libraries or configurations.

Install mod_auth_mellon:

sudo dnf install mod_auth_mellon
Configure mod_auth_mellon:

Edit the mod_auth_mellon configuration file. This file may be located at /etc/httpd/conf.d/mellon.conf:

sudo nano /etc/httpd/conf.d/mellon.conf
Here's a basic configuration:

<Location /your-sso-endpoint>
AuthType "Mellon"
MellonSPPrivateKeyFile /etc/httpd/sso/your-sp-key.key
MellonSPCertFile /etc/httpd/sso/your-sp-cert.crt
MellonIdPMetadata /etc/httpd/sso/adfs-metadata.xml
MellonEndpointPath /your-sso-endpoint
MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
MellonValid 1
Mellonsecure 1
</Location>
Modify the paths and options according to your setup.

Download ADFS Metadata:

Download the ADFS metadata XML file and place it in the location specified in the Mellon configuration. You can usually access the metadata via a URL like https://your-adfs-server/FederationMetadata/2007-06/FederationMetadata.xml.

Enable and Start Apache:

Enable and start the Apache web server, which is configured to use mod_auth_mellon.

bash
Copy code
sudo systemctl enable httpd
sudo systemctl start httpd
@dos2unix, I have some applications running on JBoss, but many others are OSGi-rich client apps, and all of them rely on Keycloak for authentication. If I understand correctly, I don't believe this approach will work for all my applications
 
I have some applications running on JBoss, but many others are OSGi-rich client apps, and all of them rely on Keycloak for authentication. If I understand correctly, I don't believe this approach will work for all my applications
It depends, for example. Looking at this from a client workstation point of view, if I use the same account to login to
the computer, to start MS office ( the web version on Linux ) to start MS teams, login to my Azure account, and login
to Github, I can use the same account and same auth mechanism.

You can install and run keycloak on Linux,


However I'm not sure what you are trying to do here. Most server applications themselves don't use SSO for the accounts
they run under. That doesn't really make sense. So then, are you trying to proxy logins using Active directory to login
to your applications? If so, that is a whole other can of worms, it can be done, but generally you to write back end code
to do this, I know of no Java application that does this natively, but there are certainly Java libraries that support using it.
You would also need admin priveleges ( or someone who has them ) to add your applications credentials to the
Active Directory domain. Usually this is done with SAML libraries and configurations that would be needed for every separate
application.
 
Yes exactly, I need my apps to login using AD through Keycloak, for now my applications are getting the token from keycloak then I can use the same JWT for all my apps, for that I want to use something like SAML, so I have SSO enabled for all of them with same configuration.
I found Kerberos(SPNEGO authentication), but I'm having this error (Kerberos is not set up. You cannot login), on wireshark I got krb5kdc_err_s_principal_unknown, I don't know what's missing, this is the guide I followed https://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html
 
Do you have realmd and pam_krb5 installed? ( At least the krb5_libs )
Depending on the application you might also need sssd-krb5 and heimdal-server.

I don't know exactly what apps you are using, but if you just do a "yum search kerberos"
it will likely list quite a few packages, the descriptions will tell you what makes sense to install.
We use something called ipsilon-saml2. I don't use rhel8 anymore, and I know a few things have
changed. - https://access.redhat.com/documenta...-management_considerations-in-adopting-rhel-8

For example, you may not need the python, ruby and golang bindings.
 
Yes I have realmd and krb5 installed and configured, here's what I have done till now:
installed those dependencies
yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd sssd-ad sssd-tools pam adcli krb5-workstation nscd
added the machine to realm domain.company.com then configured sssd and pam so I can login using my ad users
this is my sssd.conf
Code:
[sssd]
domains = domain.company.com
config_file_version = 2
services = nss, pam


[nss]
filter_users = root
filter_groups = root


[domain/domain.company.com]
ad_server = domain.company.com
ad_domain = domain.company.com
krb5_realm = DOMAIN.COMPANY.COM
krb5_kdcip = WIN-ADMACHINE.domain.company.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
chpass_provider = ad
ad_server = WIN-ADMACHINE.domain.company.com
ad_domain = domain.company.com
ad_hostname = linuxAdfs.domain.company.com
then I configured my krb5.conf

Code:
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    forwardable = true
    clockskew = 300
    rdns = false
    kdc_timesync = 0
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_ccache_name = KEYRING:persistent:%{uid}
    default_realm = DOMAIN.COMPANY.COM
    ticket_lifetime = 24h
    renew_lifetime = 7d
    udp_preference_limit = 0


[realms]
 DOMAIN.COMPANY.COM = {
    kdc = WIN-ADMACHINE.domain.company.com:88
    admin_server = WIN-ADMACHINE.domain.company.com
    default_domain = domain.company.com
 }

[domain_realm]
 .domain.company.com = DOMAIN.COMPANY.COM
 domain.company.com = DOMAIN.COMPANY.COM
on my windows server i generated the keytab:
ktpass -princ SSO-KEYCLOAK/[email protected] -mapuser kkeycloak -pass 'password' -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

on keycloak I have AD user federartion which import AD users, and I added a kerberos user federation:
REALM: DOMAIN.COMPANY.COM
Service Principale: SSO-KEYCLOAK/[email protected]
keytab: /path/to/krb5.keytab

and I added a Kerberos execution as required, in my browser authentication flow

I can login with my ad user using xrdp, then create ticket with kinit [email protected], klist is returning a valid ticket.
but when testing, my apps redirect to keycloak for login but returning then the message Kerberos is not set up. You cannot login.
when analyzing the network, I can see the error message krb5kdc_err_s_principal_unknown, on keycloak logs I can see that SPNEGO Sending back WWW-Authenticate: Negotiate.
 
Last edited:

Staff online

Members online


Top