# Red Hat SSO Integration Guide

Cloud Voice can be tied into Red Hat SSO (Single Sign-on) so that your Red Hat users authenticate to the Cloud Voice App (Desktop and Web) with the same credentials they already use for Red Hat. This page gives you an overview of what the integration offers, what you need before you start, and where to go for each setup and maintenance task.

## Requirements

Before you begin, confirm that both sides meet the following minimums.

| Platform | Requirement |
|----------|-------------|
| Red Hat SSO | Version 7.6 or later is recommended. |
| Cloud Voice | Firmware `84.21.0.16` or later, and an Enterprise Plan or Ultimate Plan subscription. |

:::note
Some capabilities depend on a newer firmware build than the baseline above. See the [firmware dependency reference](/pbx/integrations/red-hat/firmware-dependency-reference/) to match a feature to the version it requires.
:::

:::caution
The integration is only available on the Enterprise Plan or Ultimate Plan. On a lower plan the setup options will not appear, so verify the subscription before you start.
:::

## What the integration does

Pairing Red Hat SSO with Cloud Voice gives you three main capabilities.

- **Single Sign-on (SSO).** Users sign in to the Cloud Voice App with their Red Hat credentials, so there is no separate voice password to distribute or remember.
- **User synchronization.** User accounts flow one way, from Red Hat SSO into Cloud Voice. When you update a user's details in Red Hat SSO, those changes are carried over to Cloud Voice automatically, which keeps your directory current without manual re-entry.
- **Automatic extension creation.** As users sync across, Cloud Voice can create and assign extensions to them, giving each person immediate access to the platform's unified communications features.

:::note
Synchronization is one-way only. Cloud Voice never writes changes back to Red Hat SSO, so treat Red Hat SSO as the source of truth for user details.
:::

## How the pieces connect

The integration relies on two protocols working together: the OpenID Connect (OIDC) client handles user-data synchronization, while SAML 2.0 (Security Assertion Markup Language) handles the sign-on flow. Together they provide secure authentication and authorization between Red Hat SSO and Cloud Voice.

### Set up the integration

Standing up the integration involves work on both the Red Hat side and the Cloud Voice side:

1. On Red Hat, create the resources you'll need and collect the credentials:
   - Create a realm and configure its realm key(s) to centrally manage user identities and SSO.
   - Add the users who should be able to sign in to the Cloud Voice App with their Red Hat credentials.
   - Create an OpenID Connect (OIDC) client so user data can synchronize into Cloud Voice.
   - Retrieve the metadata from Red Hat SSO.
2. On Cloud Voice, import the Red Hat SSO metadata and complete the related settings.
3. Back on Red Hat, create a SAML client to establish the SSO connection between Red Hat and Cloud Voice.

:::note
The two Red Hat clients do different jobs. The OIDC client is what synchronizes users, and the SAML client is what lets those users sign in through SSO. You need both: syncing users on its own does not enable SSO login until the SAML client is in place.
:::

For the full walkthrough, see [Integrate Cloud Voice with Red Hat SSO](/pbx/integrations/red-hat/integrate-cloud-voice-system-with-red-hat-sso/).

### Finish the setup

Once the connection is in place, configure Cloud Voice so users can actually sign in through SSO and reach the platform's unified communications features:

- [Synchronize Users from Red Hat SSO to Cloud Voice](/pbx/integrations/red-hat/synchronize-users-from-red-hat-sso-to-cloud-voice/): pull the Red Hat SSO users into Cloud Voice and assign extensions to them.
- [Allow Users to Log in to the Cloud Voice App with Red Hat SSO](/pbx/integrations/red-hat/allow-users-to-log-in-to-cloud-voice-app-uc-clients-with-red-hat-sso/): switch on the SSO feature so synced users can sign in with their Red Hat credentials.

### Manage the integration

Use these tasks to keep the integration running the way you want:

- [Schedule Automatic User Synchronization](/pbx/integrations/red-hat/schedule-automatic-user-synchronization/): Cloud Voice runs a user sync automatically at 00:30 every day by default. Use this to move that run to a time that suits you.
- [Manually Perform User Synchronization](/pbx/integrations/red-hat/manually-perform-user-synchronization/): trigger a sync right away when you want a new sync rule, or a fresh change in Red Hat SSO, to take effect immediately rather than waiting for the next scheduled run.
- [Update the Client Secret for the Red Hat SSO Integration](/pbx/integrations/red-hat/update-client-secret-for-red-hat-sso-integration/): replace the client secret used by the OIDC client, for example after a routine credential rotation.
- [Pause Red Hat SSO Synchronization](/pbx/integrations/red-hat/pause-red-hat-sso-synchronization/): put syncing on hold so that updates from Red Hat SSO do not overwrite the user data already in Cloud Voice.
- [Disable the Red Hat SSO Integration](/pbx/integrations/red-hat/disable-red-hat-sso-integration/): suspend the integration temporarily, for example while troubleshooting the PBX, without losing any of your existing configuration.
- [Disconnect the Red Hat SSO Integration](/pbx/integrations/red-hat/disconnect-red-hat-sso-integration/): remove the integration completely. You must do this before you can connect Cloud Voice to a different directory.

:::caution
Disable and disconnect are not the same thing. Disabling suspends the integration but keeps every setting, so you can turn it back on later, which is the right choice for a temporary pause or troubleshooting. Disconnecting removes the integration and its configuration and is only needed when you are switching to a different directory.
:::
