Troubleshooting Hybrid Cloud Console Identity Provider Integration

The Red Hat Hybrid Cloud Console (HCC) provides a This content is not included.self-service interface that allows you to integrate a third-party identity provider (IdP) so that your users log into Red Hat services via your organization’s single sign-on / identity provider.

The IdP integration tool provides visibility into problems that prevent successful integration. However, some problems require additional investigation.

Troubleshooting Tips

If your IdP integration is not successful, try these troubleshooting tips.

1. Confirm that you have set up the URLs that the IdP integration tool provides in your company’s identity provider. The URLs will be the following:
   a) Redirect URL. The Redirect URL might be referred to as the Assertion Consumption Service (ACS) URL in your IdP solution.
   b) An additional URL depending on the protocol you have selected
   --- For SAML, a Service Provider Metadata URL
   --- For OIDC, an OIDC Discovery endpoint. This endpoint can also be referred to as a .well-known endpoint
   c) The IdP integration tool will provide both of these URLs in the initial configuration wizard as well as on the main configuration page itself. Every SSO solution is a little bit different in how these URLs are configured. If you are in doubt, please consult the documentation for your SSO solution.

2. If you use OIDC and are experiencing issues, confirm that there are no network restrictions that might prevent your SSO application from receiving network requests. For OIDC IdP integrations, the authenticating user will be forwarded back to the Red Hat SSO solution with a code that is exchanged for a token from the Red Hat SSO server to yours. In some cases, companies have a firewall or other policies in place that prevent this code-for-token exchange from happening.
   -- If exchange restrictions cannot be lifted, you might want to consider using SAML as an alternative solution. The SAML authentication flow is handled entirely within the end-user’s web browser and requires no server-to-server communications.

3. Your identity provider solution must follow best-practice guidelines.
   a) SAML implementation requires that assertions are, at minimum, signed. However, encryption is not required. You will need to provide the expected x509 certificate that will be used to sign assertions.
   b) OIDC implementation expects tokens to be signed. You will need to provide the expected x509 certificate that will be used to sign tokens.

4. There are some popular browser plugins (such as SAML-tracer) that can be used to better track the requests going on within your web browser. These trackers can help you identify where integration issues are occurring in the authentication flow.

SAML configuration details (Red Hat SSO system defaults and expectations)

SSO initiation type - the Red Hat identity system supports Service Provider-initiated single sign-on. We do not support IdP-initiated single sign-on.
SSO binding - Currently we only allow POST for newly created IdPs.
Name ID - Red Hat expects an ID of some sort that will allow for persistent identification of authenticating users. However it's up to you to determine what sort of identifier you wish to use. This could be a UUID, an email address, a username, etc.
Other required attributes - We do not require any other attributes to be provided for authenticating users.
ACS URL - This is provided by the Identity Provider Integration tool after a customer has completed the initial setup for their IdP. We will also provide a link to our SAML metadata URL that the customer can bind with if they so choose (this would allow for them to review the configured IdP in-depth).
Assertion Signing - We require that integrating customers and partners sign their assertions. We require that a valid x509 certificate is provided during IdP configuration that can be used to verify the assertion signature.
Response/Assertion Encryption - Encryption is not currently enforced, but as long as a valid x509 cert is provided we will be able to decrypt responses/assertions.
AuthN Signing Requests - Red Hat signs AuthN requests. We would encourage integrating parties to verify this signature. The key we use to do this will be discoverable in the SAML metadata that we provide (mentioned above, this will be presented after the IdP has been created).
Federated Logout - Red Hat does not currently support any federated logout options. Doing so would result in your users being logged out of both Red Hat as well as your company’s SSO if they were to “log out” of a Red Hat service or application.