Enhance README.md
Fix code blocks indentation and add syntax highlighting Change-Id: Ib6a0672ad961e567bf586e7569f64b8b37533845
This commit is contained in:
Claudio Pisa
parent
5ec1bc10f9
commit
3bab1d79f0
134
src/README.md
134
src/README.md
|
|
@ -37,7 +37,7 @@ Use this charm with the Keystone charm, running with preferred-api-version=3:
|
||||||
|
|
||||||
In a bundle:
|
In a bundle:
|
||||||
|
|
||||||
```
|
```yaml
|
||||||
applications:
|
applications:
|
||||||
# ...
|
# ...
|
||||||
keystone-saml-mellon:
|
keystone-saml-mellon:
|
||||||
|
|
@ -133,16 +133,16 @@ the post-deployment configuration steps. For example https://samltest.id/saml/id
|
||||||
Get the idP's metadata XML. This will be the resource file for idp-metdata.xml.
|
Get the idP's metadata XML. This will be the resource file for idp-metdata.xml.
|
||||||
The XML will be unique for each idP. See example [idP metadata](https://samltest.id/saml/idp).
|
The XML will be unique for each idP. See example [idP metadata](https://samltest.id/saml/idp).
|
||||||
The XML must be generated by your idP rather than
|
The XML must be generated by your idP rather than
|
||||||
attempting to create this document on your own.
|
attempting to create this document on your own.
|
||||||
|
|
||||||
Generate a certificate key pair for keystone as a Service Provider (SP). See
|
Generate a certificate key pair for keystone as a Service Provider (SP). See
|
||||||
openssl document ion on how to. This certificate key pair will not be validated
|
openssl documentation on how to. This certificate key pair will not be validated
|
||||||
so it may or may not be signed by your certificate authority.
|
so it may or may not be signed by your certificate authority.
|
||||||
The key PEM file is the resource file for sp-private-key.pem. The certificate
|
The key PEM file is the resource file for `sp-private-key.pem`. The certificate
|
||||||
PEM data will be placed in an XML document and will become the
|
PEM data will be placed in an XML document and will become the
|
||||||
sp-signing-keyinfo.xml resource file.
|
`sp-signing-keyinfo.xml` resource file.
|
||||||
|
|
||||||
```
|
```xml
|
||||||
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
||||||
<ds:X509Data>
|
<ds:X509Data>
|
||||||
<ds:X509Certificate>
|
<ds:X509Certificate>
|
||||||
|
|
@ -158,28 +158,28 @@ sp-signing-keyinfo.xml resource file.
|
||||||
```
|
```
|
||||||
|
|
||||||
Set the protocol. This must match the protocol used in the post-deployment
|
Set the protocol. This must match the protocol used in the post-deployment
|
||||||
configuration steps. We recommend the protocol "mapped."
|
configuration steps. We recommend the protocol "mapped".
|
||||||
|
|
||||||
juju config keystone-saml-mellon protocol-name=mapped
|
juju config keystone-saml-mellon protocol-name=mapped
|
||||||
|
|
||||||
Determine and configure the NameID SAML specification(s). This is the format
|
Determine and configure the NameID SAML specification(s). This is the format
|
||||||
for the user identification you expect to receive from the idP. Federated users
|
for the user identification you expect to receive from the idP. Federated users
|
||||||
generated in the keystone database will use this NameID as the uid.
|
generated in the keystone database will use this NameID as the uid.
|
||||||
|
|
||||||
juju config keystone-saml-mellon nameid-formats="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
juju config keystone-saml-mellon nameid-formats="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
||||||
|
|
||||||
If proxies are invoked at any point between the idP and keystone as SP set
|
If proxies are invoked at any point between the idP and keystone as SP set
|
||||||
subject-confirmation-data-address-check to false.
|
subject-confirmation-data-address-check to false.
|
||||||
|
|
||||||
juju config keystone-saml-mellon subject-confirmation-data-address-check=False
|
juju config keystone-saml-mellon subject-confirmation-data-address-check=false
|
||||||
|
|
||||||
Attach resources
|
Attach resources
|
||||||
|
|
||||||
juju attach-resource keystone-saml-mellon idp-metadata=./idp-metadata.xml sp-private-key=./sp-private-key.pem. sp-signing-keyinfo=./sp-signing-keyinfo.xml
|
juju attach-resource keystone-saml-mellon idp-metadata=./idp-metadata.xml sp-private-key=./sp-private-key.pem. sp-signing-keyinfo=./sp-signing-keyinfo.xml
|
||||||
|
|
||||||
Get keystones SP metadata XML and exchange it with your idP
|
Get keystones SP metadata XML and exchange it with your idP
|
||||||
|
|
||||||
juju run-action keystone-saml-mellon/0 get-sp-metadata
|
juju run-action keystone-saml-mellon/0 get-sp-metadata --wait
|
||||||
|
|
||||||
# Post-deployment Configuration
|
# Post-deployment Configuration
|
||||||
|
|
||||||
|
|
@ -209,66 +209,72 @@ following is a simple example. Constraints can be added on the remote side. For
|
||||||
example group membership.
|
example group membership.
|
||||||
See [mapping documentation](https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html) upstream.
|
See [mapping documentation](https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html) upstream.
|
||||||
|
|
||||||
```
|
```bash
|
||||||
openstack domain create federated_domain
|
openstack domain create federated_domain
|
||||||
openstack group create federated_users --domain federated_domain
|
openstack group create federated_users --domain federated_domain
|
||||||
# Get the federated_users group id and assign the role Member
|
# Get the federated_users group id and assign the role Member
|
||||||
GROUP_ID=$(openstack group show federated_users --domain federated_domain | grep -v domain_id | grep id |awk '{print $4}')
|
GROUP_ID=$(openstack group show federated_users --domain federated_domain | grep -v domain_id | grep id |awk '{print $4}')
|
||||||
openstack role add --group ${GROUP_ID} --domain federated_domain Member
|
openstack role add --group ${GROUP_ID} --domain federated_domain Member
|
||||||
|
|
||||||
# Use the URL for your idP's metadata for remote-id. The name can be
|
# Use the URL for your idP's metadata for remote-id. The name can be
|
||||||
# arbitrary.
|
# arbitrary.
|
||||||
openstack identity provider create --remote-id https://samltest.id/saml/idp --domain federated_domain samltest
|
openstack identity provider create --remote-id https://samltest.id/saml/idp --domain federated_domain samltest
|
||||||
|
|
||||||
# Get the federated_domain id and add it to the rules.json map
|
# Get the federated_domain id and add it to the rules.json map
|
||||||
DOMAIN_ID=$(openstack domain show federated_domain |grep id |awk '{print $4}')
|
DOMAIN_ID=$(openstack domain show federated_domain |grep id |awk '{print $4}')
|
||||||
cat > rules.json <<EOF
|
cat > rules.json <<EOF
|
||||||
[{
|
[{
|
||||||
"local": [
|
"local": [
|
||||||
{
|
{
|
||||||
"user": {
|
"user": {
|
||||||
"name": "{0}"
|
"name": "{0}"
|
||||||
|
},
|
||||||
|
"group": {
|
||||||
|
"domain": {
|
||||||
|
"id": "${DOMAIN_ID}"
|
||||||
},
|
},
|
||||||
"group": {
|
"name": "federated_users"
|
||||||
"domain": {
|
},
|
||||||
"id": "${DOMAIN_ID}"
|
"projects": [
|
||||||
},
|
|
||||||
"name": "federated_users"
|
|
||||||
},
|
|
||||||
"projects": [
|
|
||||||
{
|
|
||||||
"name": "{0}_project",
|
|
||||||
"roles": [
|
|
||||||
{
|
|
||||||
"name": "Member"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"remote": [
|
|
||||||
{
|
{
|
||||||
"type": "MELLON_NAME_ID"
|
"name": "{0}_project",
|
||||||
|
"roles": [
|
||||||
|
{
|
||||||
|
"name": "Member"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}]
|
}
|
||||||
EOF
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "MELLON_NAME_ID"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}]
|
||||||
|
EOF
|
||||||
|
|
||||||
# Use the rules.json created above.
|
# Use the rules.json created above.
|
||||||
openstack mapping create --rules rules.json samltest_mapping
|
openstack mapping create --rules rules.json samltest_mapping
|
||||||
# The name should be mapped or saml here and must match the configuration
|
# The name should be mapped or saml here and must match the configuration
|
||||||
# setting protocol-name. We recommend using "mapped"
|
# setting protocol-name. We recommend using "mapped"
|
||||||
openstack federation protocol create mapped --mapping samltest_mapping --identity-provider samltest
|
openstack federation protocol create mapped --mapping samltest_mapping --identity-provider samltest
|
||||||
# list related projects
|
# list related projects
|
||||||
openstack federation project list
|
openstack federation project list
|
||||||
# Note and auto generated domain has been created. This is where auto
|
# Note and auto generated domain has been created. This is where auto
|
||||||
# generated users and projects will be created.
|
# generated users and projects will be created.
|
||||||
openstack domain list
|
openstack domain list
|
||||||
```
|
```
|
||||||
|
|
||||||
# Bugs
|
# Bugs
|
||||||
|
|
||||||
Please report bugs on [Launchpad](https://bugs.launchpad.net/charm-keystone-saml-mellon/+filebug).
|
Please report bugs on [Launchpad][lp-bugs-charm-keystone-saml-mellon].
|
||||||
|
|
||||||
For general questions please refer to the OpenStack [Charm Guide](https://docs.openstack.org/charm-guide/latest/).
|
For general charm questions refer to the [OpenStack Charm Guide][cg].
|
||||||
|
|
||||||
|
<!-- LINKS -->
|
||||||
|
|
||||||
|
[cg]: https://docs.openstack.org/charm-guide
|
||||||
|
[cdg]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide
|
||||||
|
[lp-bugs-charm-keystone-saml-mellon]: https://bugs.launchpad.net/charm-keystone-saml-mellon/+filebug
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue