*oVirt Keycloak internal SSO revert procedure:* *First of all this is rather a Dev approach and in a real Production environment regular 'restore from previous backup and run setup' approach should be used. * *I have tested this only on my very simplified dev environment. * *Please make sure to backup any existing setup before proceding* On the engine host: *1. Disable external SSO in oVirt Engine* *edit:* /etc/ovirt-engine/engine.conf.d/12-setup-keycloak.conf end update the following properties: KEYCLOAK_BUNDLED=false ENGINE_SSO_ENABLE_EXTERNAL_SSO=false *2. Disable HTTPD openidc configuration* remove/rename /etc/httpd/conf.d/internalsso-openidc.conf ie. mv /etc/httpd/conf.d/internalsso-openidc.conf /etc/httpd/conf.d/internalsso-openidc.conf.disabled *3. Update oVirt OVN provider (if configured)* edit /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf and remove or comment out the following property: ovirt-admin-user-name=admin@ovirt@internalsso *4 Run setup to update all answers and postinstall configurations:* $ engine-setup –offline --otopi-environment="OVESETUP_CONFIG/keycloakEnable=bool:False OVESETUP_CONFIG/keycloakSupported=bool:False" *5. Update Grafana OAuth configuration (if configured on the same host as the engine)* *NOTE: ignore this step if you don’t need SSO for the Monitoring Portal.* Update highlighted sections /etc/grafana/grafana.ini Locate [auth.generic_oauth] section [auth.generic_oauth] name = oVirt Engine Auth enabled = true allow_sign_up = false client_id = ovirt-grafana client_secret = """wnS3xkK0Rd13kw30EhEEnDqn8lk2hLBDB2jlfSAHgHs """ scopes = ovirt-app-admin,ovirt-app-portal,ovirt-ext=auth:sequence-priority role_attribute_path = email_attribute_name = email auth_url = https://ENGINE/ovirt-engine/sso/openid/authorize token_url = https://ENGINE/ovirt-engine/sso/openid/token api_url = https://ENGINE/ovirt-engine/sso/openid/userinfo team_ids = allowed_organizations = tls_skip_verify_insecure = false tls_client_cert = tls_client_key = tls_client_ca = /etc/pki/ovirt-engine/apache-ca.pem send_client_credentials_via_post = false I was unable to retrieve the originally created client_secret for grafana client id (ovirt-grafana). But it is possible to create a new one. Just make sure to backup that secret for future upgrades. $ ovirt-register-sso-client-tool --callback-prefix-url=' https://ENGINE_FQDN/ovirt-engine-grafana/’ '--client-ca-location={ca_pem} ' #ie. /etc/pki/ovirt-engine/ca.pem '--client-id=ovirt-grafana2 ' # or anything else other than ‘ovirt-grafana’ '--encrypted-userinfo=false ' '--conf-file-name={tmp_conf}' # ie. /tmp/99-client-register.conf This command will create and register a new client that can be used for grafana oauth setup. The necessary configuration details will be store in filesystem under location defined by '--conf-file-name={tmp_conf}' *6. Restart services* - ovirt-engine - httpd - ovirt-provider-ovn (if configured) - grafana-server (if configured on the same host as oVirt Engine) *7. Login to oVirt Admin Panel using legacy AAA credentials (username: admin, profile: internal, provided password) * *and update oVirt OVN provider credentials so that username is 'ovirt@internal'* From side panel choose: Administration -> Providers -> ovirt-provider-ovn Click Edit for ovirt-provider-ovn and update the ‘Username’ field to contain ‘admin@internal’. If you run engine-setup with the defaults, the password is the same. Next, scroll down, click ‘Test’ and make sure it is successful before submitting the change. Up to my best knowledge these steps should be sufficient to fully revert to legacy AAA on the existing Keycloak enabled environment. Fingers crossed! Artur On Thu, Jul 28, 2022 at 8:46 AM Artur Socha <asocha(a)redhat.com&gt; wrote: -- Artur Socha Senior Software Engineer, RHV Red Hat

Cool! I'm glad this worked for you. I tested it on a non-HE environment so I forgot to mention a maintenance mode requirement. cheer, Artur On Fri, Jul 29, 2022 at 11:15 AM <markeczzz(a)gmail.com&gt; wrote: -- Artur Socha Senior Software Engineer, RHV Red Hat