Introducing IdM in RHEL domain join feature: Enroll your machines on boot!

Managing identity and access in hybrid cloud environments can be complex. Traditionally, new machines are not automatically integrated into an organization's identity management (IdM) system, leading to security risks, manual intervention and operational inefficiencies. Organizations need a scalable, secure and automated solution for efficient access control.

What domain join does

The Red Hat Enterprise Linux (RHEL) domain join feature automates the enrollment of newly created machines into an existing identity and access management (IAM) system. This enables efficient authentication and access management without requiring manual configuration.

With this feature, provisioning administrators can integrate hosts into their identity management in RHEL (IPA) domain by using predefined provisioning blueprints. This flexibility provides an optimized user experience while maintaining a strong security and compliance posture.

Key benefits of domain join

• Automated integration: New cloud VMs automatically enroll in IdM in RHEL, enforcing policies without manual intervention
• Security and compliance: Immediate domain join reduces delays in applying security controls
• No credential exposure: The hybrid cloud console uses a protected, token-based registration process
• Multicloud flexibility: Works across private/public clouds and bare-metal environments
• Simplified administration: Users leverage existing IdM infrastructure without requiring third-party solutions

How domain join works

1. Simple registration: A token-based workflow to register your IdM deployment with the hybrid cloud console
2. Zero-touch enrollment: Upon deployment, VMs securely communicate with the hybrid cloud console and IdM in RHEL
3. Immediate policy enforcement: Machines join the domain by the end of the booting process, enabling access management and security policies
4. Ongoing access control: Existing IdM users gain access without additional configurations, subject to the existing security policies

Implementation guide

You can register your IdM deployment in the Red Hat Hybrid Cloud Console to manage authentication and authorization for all enrolled and deployed RHEL images.

Steps to register IdM deployment

1. Start the registration wizard: The wizard generates a secure registration token
2. Connect IdM deployment with the Hybrid Cloud Console: On your IdM server, install the ipa-hcc-server package and use the token to register your deployment
3. Complete the registration wizard: Return to the Hybrid Cloud Console to verify and finalize the registration
4. Include ipa-hcc-client in images: All deployed images must have the ipa-hcc-client package installed to automatically join the registered domain
5. Configure automatic subscription manager registration: Client images must be set to register automatically with the subscription manager

When these steps are completed, the feature is ready for use and instances will integrate with your existing IdM deployment.

Network considerations

For smooth operation, make sure the network where you deploy your images has connectivity to the IdM deployment. This includes:

• Correct DNS settings
• Allowing outbound connections to HTTPS, Kerberos and LDAP services

If client instances cannot communicate with both the Hybrid Cloud Console and the registered IdM server, they will not be able to join the domain.

Official documentation

For detailed steps, refer to the official documentation: Red Hat Hybrid Cloud Console - Deploying and Managing RHEL Systems in Hybrid Clouds.

What about Active Directory?

We have opened a Jira Feature ticket for Active Directory support, where we will gather requirements, comments and suggestions. If your company has interest in Active Directory support for the domain join feature, we encourage you to start watching the issue and add a comment.

Learn more

This feature was presented at Everything Open 2025 (Australia) by Fraser Tweedale, FOSDEM 2025 (Belgium) by Andre Boscatto and at DevConf (India) by Akshay Adhikari - recording and slides are available in the links.

Stay tuned for our follow-up posts coming soon from the Red Hat Developer Blog.