In this blog, I will be explaining how to integrate Red Hat Single Sign-On (RH SSO) with the IBM Storage Ceph Dashboard. IBM Storage Ceph allows teams to integrate their user federation with its dashboard using the SAML 2.0 protocol, enabling a more unified and secure authentication experience. I will walk you through the configuration steps required on both sides, ensuring that once complete, users can sign in smoothly and manage their Ceph clusters without managing multiple credentials.

For this demo, I’ll be using a Red Hat Identity Management server as my user directory and Red Hat Single Sign-On (Keycloak) as my SSO provider.

First, let’s create some users on RH IdM server to assign roles to several users. You can simply create your users from the Active Users section of RedHat IdM by clicking the +Add button located on the top right side of the screen:

You can either click Add or Add and Add Another button depending on your need of adding new users.

Now, let’s configure our RH SSO environment and sync users to RH SSO. First, you need to create a Realm on RH SSO dedicated to Ceph:

Now, navigate to User Federation on the left side menu and add an LDAP Provider to integrate RH IdM with our RH SSO instance. An example LDAP configuration can be found below:

Since I’ve specified the admin as the UID in the Bind DN section, I’ve entered the admin password as the Bind Credential. After entering the details for both connection and the Bind settings, test both your connection and the authentication to make sure your connectivity settings are correct. 

After the successful creation of our LDAP provider, save settings and synchronize users to import the users from your RH IdM to your RH SSO. Once the users are imported successfully, navigate to Clients section of RH SSO to create a client for your Ceph Dashboard authentication. 

Click on Create button on the top right section to your client. You can check out the following example client create settings:

You need to put your Ceph SAML 2 metadata URL as the client ID and select SAML as the Client Protocol. Make sure you include http(s) section of your Ceph URL here. You can click on the Save button to continue with your Client configurations.

You can find the example configuration settings for a client configuration below:

You can retrieve the Master SAML Processing URL from the Endpoints section of your Realm Settings screen. However, SAML URL might not be visible on some RH SSO versions. This URL is most likely to be: https://<<SSO URL>>:8443/auth/realms/<<REALM NAME>>/protocol/saml/descriptor. You can test this out by opening the URL from your browser. Also, make sure you turn off Client Signature Required option.

After a successful configuration of your Client, navigate to the Client Scopes from the left menu and select role_list from the Client Scopes list:

Navigate to the Mappers section of Role_List Client Scope and select role list from the list:

Turn on the Single Role Attribute and click on save:

Now, we are done with the SSO configuration and finally we can continue with configuring our Ceph for using SSO on the dashboard.

You can assign roles to your users when you’re creating these users from the Ceph dashboard. A user can have the following roles on Ceph Dashboard:

administrator: Allows full permissions for all security scopes 

block-manager: Allows full permissions for rbd-image, rbd-mirroring, and iscsi scopes   

cephfs-manager: Allows full permissions for the cephfs scope   

cluster-manager: Allows full permissions for the hosts, osd, mon, mgr, and config-opt scopes 

ganesha-manager: Allows full permissions for the nfs-ganesha scope 

pool-manager: Allows full permissions for the pool scope 

read-only: Allows read permission for all security scope except dashboard settings and config-opt 

rgw-manager: Allows full permissions for the rgw scope 

In addition to these roles, you can create your custom roles for your Ceph dashboard. You can check out the detailed explanation on Dashboard Users and Roles on IBM Docs.

You can create your dashboard users with command line. The password file mentioned in the command contains only the password of the user:

ceph dashboard ac-user-create <<username>> -i <<password_file>> <<role>>

An example for creating an administrator dashboard command is as follows:

ceph dashboard ac-user-create cephadmin -i pass.txt administrator

This command creates a user called “cephadmin”, reads the user’s password from pass.txt file and assigns the administrator role to it.

After you’re done creating your dashboard users, you can finally configure Ceph to use Single Sign On for dashboard. Please note that you need to create the users on the Ceph side as well.

To configure your Ceph to use the SSO service, you first need to configure Ceph Dashboard SSO. An example command for this can be found below. Make sure you run these SSO configuration commands from the Ceph container on your management node:

ceph dashboard sso setup saml2 https://<<Ceph URL>>:8443 https://<<SSO URL>>:8443/auth/realms/Ceph/protocol/saml/descriptor username

You can verify the configuration by running the ceph dashboard show sso saml2 command. Here, you can pay attention to the following fields for verification:

[root@ceph1 ~]# ceph dashboard sso show saml2

{"onelogin_settings": {"sp": {"entityId": "https://<<Ceph URL>>:8443/auth/saml2/metadata", "assertionConsumerService": {"url": "https://<<Ceph URL>>:8443/auth/saml2", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"}, "attributeConsumingService": {"serviceName": "Ceph Dashboard", "serviceDescription": "Ceph Dashboard Service", "requestedAttributes": [{"name": "username", "isRequired": true}]}, "singleLogoutService": {"url": "https://<<Ceph URL>>:8443/auth/saml2/logout", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"}, "x509cert": "", "privateKey": "", "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"}, "security": {"nameIdEncrypted": false, "authnRequestsSigned": false, "logoutRequestSigned": false, "logoutResponseSigned": false, "signMetadata": false, "wantMessagesSigned": false, "wantAssertionsSigned": false, "wantAssertionsEncrypted": false, "wantNameIdEncrypted": false, "metadataValidUntil": "", "wantAttributeStatement": false, "metadataCacheDuration": null, "wantNameId": true, "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1", "requestedAuthnContext": true, "failOnAuthnContextMismatch": false}, "idp": {"entityId": "https://<<SSO URL>>:8443/auth/realms/Ceph", "singleSignOnService": {"url": "https://<<SSO URL>>:8443/auth/realms/Ceph/protocol/saml", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"}, "singleLogoutService": {"url": "https://<<SSO URL>>:8443/auth/realms/Ceph/protocol/saml", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"}, "x509cert": "-----BEGIN CERTIFICATE-----\<<<CERT DETAILS HERE>>>----END CERTIFICATE-----\n", "certFingerprint": "", "certFingerprintAlgorithm": "sha1"}}}

After successful verification of your settings, you can now enable SAML 2.0 on your Ceph dashboard with following command:

ceph dashboard sso enable saml2

After enabling, you should now be redirected to your RH SSO for logging in to your ceph cluster when you enter the URL. You can always disable SSO with the following command: 

ceph dashboard sso disable