Im having a windows server configured with an adfs, which is used as Idp with saml in keycloak for my application, then I'm using adfs Device authentication, so I can login to my apps using my session credentials, on windows it works fine, I want to do the same from a Linux rhel 8 workstation, what is the best approach to do that? I already configured sssd and Pam so I can login with ad users on GUI but I'm missing the part to map the session credentials to adfs.
IWA alternative on Linux RHEL 8
To enable Single Sign-On (SSO) with ADFS and SAML from a Linux (RHEL 8) workstation, you'll need to use SAML-based authentication. Since you've already configured SSSD and PAM for user authentication, the main task remaining is to set up SAML authentication with ADFS. Here's a high-level overview of the steps you need to follow:
Install and Configure SAML Authentication Software:
You need to install a SAML client library and configure it to work with your ADFS server. The most commonly used library is mod_auth_mellon for Apache. If you're using a different web server or application, there might be alternative libraries or configurations.
Install mod_auth_mellon:
sudo dnf install mod_auth_mellon
Configure mod_auth_mellon:
Edit the mod_auth_mellon configuration file. This file may be located at /etc/httpd/conf.d/mellon.conf:
sudo nano /etc/httpd/conf.d/mellon.conf
Here's a basic configuration:
<Location /your-sso-endpoint>
AuthType "Mellon"
MellonSPPrivateKeyFile /etc/httpd/sso/your-sp-key.key
MellonSPCertFile /etc/httpd/sso/your-sp-cert.crt
MellonIdPMetadata /etc/httpd/sso/adfs-metadata.xml
MellonEndpointPath /your-sso-endpoint
MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
MellonValid 1
Mellonsecure 1
</Location>
Modify the paths and options according to your setup.
Download ADFS Metadata:
Download the ADFS metadata XML file and place it in the location specified in the Mellon configuration. You can usually access the metadata via a URL like https://your-adfs-server/FederationMetadata/2007-06/FederationMetadata.xml.
Enable and Start Apache:
Enable and start the Apache web server, which is configured to use mod_auth_mellon.
sudo systemctl enable httpd
sudo systemctl start httpd
Install and Configure SAML Authentication Software:
You need to install a SAML client library and configure it to work with your ADFS server. The most commonly used library is mod_auth_mellon for Apache. If you're using a different web server or application, there might be alternative libraries or configurations.
Install mod_auth_mellon:
sudo dnf install mod_auth_mellon
Configure mod_auth_mellon:
Edit the mod_auth_mellon configuration file. This file may be located at /etc/httpd/conf.d/mellon.conf:
sudo nano /etc/httpd/conf.d/mellon.conf
Here's a basic configuration:
<Location /your-sso-endpoint>
AuthType "Mellon"
MellonSPPrivateKeyFile /etc/httpd/sso/your-sp-key.key
MellonSPCertFile /etc/httpd/sso/your-sp-cert.crt
MellonIdPMetadata /etc/httpd/sso/adfs-metadata.xml
MellonEndpointPath /your-sso-endpoint
MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
MellonValid 1
Mellonsecure 1
</Location>
Modify the paths and options according to your setup.
Download ADFS Metadata:
Download the ADFS metadata XML file and place it in the location specified in the Mellon configuration. You can usually access the metadata via a URL like https://your-adfs-server/FederationMetadata/2007-06/FederationMetadata.xml.
Enable and Start Apache:
Enable and start the Apache web server, which is configured to use mod_auth_mellon.
sudo systemctl enable httpd
sudo systemctl start httpd
Last edited:
@dos2unix, I have some applications running on JBoss, but many others are OSGi-rich client apps, and all of them rely on Keycloak for authentication. If I understand correctly, I don't believe this approach will work for all my applications
It depends, for example. Looking at this from a client workstation point of view, if I use the same account to login to
the computer, to start MS office ( the web version on Linux ) to start MS teams, login to my Azure account, and login
to Github, I can use the same account and same auth mechanism.
You can install and run keycloak on Linux,
Olvid - Keycloak Configuration Guide
www.olvid.io
However I'm not sure what you are trying to do here. Most server applications themselves don't use SSO for the accounts
they run under. That doesn't really make sense. So then, are you trying to proxy logins using Active directory to login
to your applications? If so, that is a whole other can of worms, it can be done, but generally you to write back end code
to do this, I know of no Java application that does this natively, but there are certainly Java libraries that support using it.
You would also need admin priveleges ( or someone who has them ) to add your applications credentials to the
Active Directory domain. Usually this is done with SAML libraries and configurations that would be needed for every separate
application.
Yes exactly, I need my apps to login using AD through Keycloak, for now my applications are getting the token from keycloak then I can use the same JWT for all my apps, for that I want to use something like SAML, so I have SSO enabled for all of them with same configuration.
I found Kerberos(SPNEGO authentication), but I'm having this error (Kerberos is not set up. You cannot login), on wireshark I got krb5kdc_err_s_principal_unknown, I don't know what's missing, this is the guide I followed https://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html
I found Kerberos(SPNEGO authentication), but I'm having this error (Kerberos is not set up. You cannot login), on wireshark I got krb5kdc_err_s_principal_unknown, I don't know what's missing, this is the guide I followed https://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html
Do you have realmd and pam_krb5 installed? ( At least the krb5_libs )
Depending on the application you might also need sssd-krb5 and heimdal-server.
I don't know exactly what apps you are using, but if you just do a "yum search kerberos"
it will likely list quite a few packages, the descriptions will tell you what makes sense to install.
We use something called ipsilon-saml2. I don't use rhel8 anymore, and I know a few things have
changed. - https://access.redhat.com/documenta...-management_considerations-in-adopting-rhel-8
For example, you may not need the python, ruby and golang bindings.
Depending on the application you might also need sssd-krb5 and heimdal-server.
I don't know exactly what apps you are using, but if you just do a "yum search kerberos"
it will likely list quite a few packages, the descriptions will tell you what makes sense to install.
We use something called ipsilon-saml2. I don't use rhel8 anymore, and I know a few things have
changed. - https://access.redhat.com/documenta...-management_considerations-in-adopting-rhel-8
For example, you may not need the python, ruby and golang bindings.
Yes I have realmd and krb5 installed and configured, here's what I have done till now:
installed those dependencies
yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd sssd-ad sssd-tools pam adcli krb5-workstation nscd
added the machine to realm domain.company.com then configured sssd and pam so I can login using my ad users
this is my sssd.conf
then I configured my krb5.conf
on my windows server i generated the keytab:
ktpass -princ SSO-KEYCLOAK/[email protected] -mapuser kkeycloak -pass 'password' -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out krb5.keytab
on keycloak I have AD user federartion which import AD users, and I added a kerberos user federation:
REALM: DOMAIN.COMPANY.COM
Service Principale: SSO-KEYCLOAK/[email protected]
keytab: /path/to/krb5.keytab
and I added a Kerberos execution as required, in my browser authentication flow
I can login with my ad user using xrdp, then create ticket with kinit [email protected], klist is returning a valid ticket.
but when testing, my apps redirect to keycloak for login but returning then the message Kerberos is not set up. You cannot login.
when analyzing the network, I can see the error message krb5kdc_err_s_principal_unknown, on keycloak logs I can see that SPNEGO Sending back WWW-Authenticate: Negotiate.
installed those dependencies
yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd sssd-ad sssd-tools pam adcli krb5-workstation nscd
added the machine to realm domain.company.com then configured sssd and pam so I can login using my ad users
this is my sssd.conf
Code:
[sssd]
domains = domain.company.com
config_file_version = 2
services = nss, pam
[nss]
filter_users = root
filter_groups = root
[domain/domain.company.com]
ad_server = domain.company.com
ad_domain = domain.company.com
krb5_realm = DOMAIN.COMPANY.COM
krb5_kdcip = WIN-ADMACHINE.domain.company.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
chpass_provider = ad
ad_server = WIN-ADMACHINE.domain.company.com
ad_domain = domain.company.com
ad_hostname = linuxAdfs.domain.company.com
Code:
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
forwardable = true
clockskew = 300
rdns = false
kdc_timesync = 0
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.COMPANY.COM
ticket_lifetime = 24h
renew_lifetime = 7d
udp_preference_limit = 0
[realms]
DOMAIN.COMPANY.COM = {
kdc = WIN-ADMACHINE.domain.company.com:88
admin_server = WIN-ADMACHINE.domain.company.com
default_domain = domain.company.com
}
[domain_realm]
.domain.company.com = DOMAIN.COMPANY.COM
domain.company.com = DOMAIN.COMPANY.COMktpass -princ SSO-KEYCLOAK/[email protected] -mapuser kkeycloak -pass 'password' -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out krb5.keytab
on keycloak I have AD user federartion which import AD users, and I added a kerberos user federation:
REALM: DOMAIN.COMPANY.COM
Service Principale: SSO-KEYCLOAK/[email protected]
keytab: /path/to/krb5.keytab
and I added a Kerberos execution as required, in my browser authentication flow
I can login with my ad user using xrdp, then create ticket with kinit [email protected], klist is returning a valid ticket.
but when testing, my apps redirect to keycloak for login but returning then the message Kerberos is not set up. You cannot login.
when analyzing the network, I can see the error message krb5kdc_err_s_principal_unknown, on keycloak logs I can see that SPNEGO Sending back WWW-Authenticate: Negotiate.
Last edited:
