charm-keystone-saml-mellon/src/README.md

# Overview

This subordinate charm provides a way to integrate a SAML-based identity
provider with Keystone using Mellon Apache web server authentication
module (mod_auth_mellon) and lasso as its dependency. Mellon acts as a
Service Provider in this case and provides SAML token attributes as WSGI
environment variables to Keystone which does not itself participate in
SAML exchanges - it merely interprets results of such exchanges
and maps assertion-derived attributes to entities (such as groups,
roles, projects and domains) in a local Keystone SQL database.

In general, any identity provider that conforms to SAML 2.0 will be
possible to integrate using this charm.

The following documentation is useful to better understand the charm
implementation:

* https://github.com/UNINETT/mod_auth_mellon/blob/master/doc/user_guide/mellon_user_guide.adoc
* https://github.com/UNINETT/mod_auth_mellon/blob/master/doc/user_guide/images/saml-web-sso.svg
* http://lasso.entrouvert.org/
* https://www.oasis-open.org/standards#samlv2.0
* https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html
* https://docs.openstack.org/keystone/latest/admin/federation/mellon.html
* https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html

# Usage

Use this charm with the Keystone charm, running with preferred-api-version=3:

    juju deploy keystone
    juju config keystone preferred-api-version=3 # other settings
    juju deploy openstack-dashboard # settings
    juju deploy keystone-saml-mellon
    juju add-relation keystone keystone-saml-mellon
    juju add-relation keystone openstack-dashboard


In a bundle:

```yaml
    applications:
    # ...
      keystone-saml-mellon:
        charm: cs:~openstack-charmers-next/keystone-saml-mellon
        num_units: 0
        options:
          idp-name: 'samltest'
          protocol-name: 'mapped'
          user-facing-name: "samltest.id'
          nameid-formats="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        resources:
          idp-metadata: "./idp-metadata.xml"
          sp-signing-keyinfo: "./sp-keyinfo.xml"
          sp-private-key: "./sp-private-key.pem"
      relations:
      # ...
      - [ keystone, keystone-saml-mellon ]
      - [ openstack-dashboard, keystone-saml-mellon ]
      - [ "openstack-dashboard:websso-trusted-dashboard", "keystone:websso-trusted-dashboard" ]
```

# Prerequisites

In order to use this charm, there are several prerequisites that need to be
taken into account which require certain infrastructure to be set up out of
band, namely:

* PKI;
* DNS;
* NTP;
* idP.

It is highly recommend that on the OpenStack charms side SSL/TLS be
configured. We recommend deploying vault with a generated or uploaded
certificate authority and relating to all OpenStack services. Optionally,
ssl_ca, ssl_cert, and ssl_key can be configured on the OpenStack charms.

> **Note**: For Vault deployment instructions see the [vault
  charm][vault-charm]. For certificate management information read the
  [Managing TLS certificates with Vault][cdg-vault-certs] section in the
  [OpenStack Charms Deployment Guide][cdg].

Several key pairs can be used in a generic SAML exchange along with
certificates containing public keys. Besides the pairs used for message-level
signing and encryption there are also TLS certificates used for transport
layer encryption when a browser connects to a protected URL on the SP side or
when it gets redirected to an idP endpoint for authentication. In summary:

* Service Provider (Keystone) TLS termination certificates, keys and CA;
* Service Provider signing and encryption private keys and associated
  public keys (SAML-level);
* Identity Provider TLS termination certificates, keys and CA;
* Identity Provider signing and encryption private keys and associated public
  keys (SAML-level).

For a successful authentication to happen the following needs to hold:

* A user agent (browser) needs to
  * trust an issuer (CA) of TLS certificates of an SP used for HTTPS;
  * trust an issuer (CA) TLS certificates of an idP used for HTTPS;
  * be able to resolve domain names present in subject or subjAltName fields.
* An SP needs to:
  * be able to verify signed SAML messages sent by an idP via
    public keys contained in certificates provided in the idP's metadata XML
    and, if SAML-level encryption is enabled, decrypt those messages;
* An idP needs to:
  * be able to verify signed SAML messages sent by an SP via
    public keys contained in certificates provided in the SP's metadata XML
    and, if SAML-level encryption is enabled, decrypt those messages.

Note that this does not mean that any actual checks are performed for
certificates related to SAML - only key material is used and there does
NOT have to be any PKI actually in-place, not even expiration times are
checked as per Mellon documentation. In that sense trust is very explicitly
defined by out of band mutual synchronization of SP and idP metadata files.
See SAML V2.0 Metadata Interoperability Profile (2.6.1) key processing
section for a normative reference.

However, this does not mean that no PKI will be in place - TLS certificates
used for HTTPS connectivity have to be verifiable by the entities that use
them. With Redirect or POST binding this is mainly about user agent being
able to validate SP or idP certificates - there is no direct communication
between the two outside the metadata synchronization step which is performed
by an operator out of band.

Additionally, for successful certificate verification clocks of all parties
need to be properly synchronized which is why it is important for NTP agents
to be able to reach proper NTP servers on SP and idP.

# Configuration

Determine the Identity Provider (idP). The idP may be public and external to
your organization or a service your organization operates. It is good practice
to use the URL for the idP's metadata as the unique identifier for the idP in
the post-deployment configuration steps. For example https://samltest.id/saml/idp

Get the idP's metadata XML. This will be the resource file for idp-metdata.xml.
The XML will be unique for each idP. See example [idP metadata](https://samltest.id/saml/idp).
The XML must be generated by your idP rather than
attempting to create this document on your own.

Generate a certificate key pair for keystone as a Service Provider (SP). See
openssl documentation on how to. This certificate key pair will not be validated
so it may or may not be signed by your certificate authority.
The key PEM file is the resource file for `sp-private-key.pem`. The certificate
PEM data will be placed in an XML document and will become the
`sp-signing-keyinfo.xml` resource file.

```xml
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
        <ds:X509Certificate>
            <!--
                Your base64 certificate *without* the header and footer.
                Remove the following:
                -----BEGIN CERTIFICATE-----
                -----END CERTIFICATE-----
            -->
        </ds:X509Certificate>
    </ds:X509Data>
</ds:KeyInfo>
```

Set the protocol. This must match the protocol used in the post-deployment
configuration steps. We recommend the protocol "mapped".

    juju config keystone-saml-mellon protocol-name=mapped

Determine and configure the NameID SAML specification(s). This is the format
for the user identification you expect to receive from the idP. Federated users
generated in the keystone database will use this NameID as the uid.

    juju config keystone-saml-mellon nameid-formats="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

If proxies are invoked at any point between the idP and keystone as SP set
subject-confirmation-data-address-check to false.

    juju config keystone-saml-mellon subject-confirmation-data-address-check=false

Attach resources

    juju attach-resource keystone-saml-mellon idp-metadata=./idp-metadata.xml sp-private-key=./sp-private-key.pem. sp-signing-keyinfo=./sp-signing-keyinfo.xml

Get keystones SP metadata XML and exchange it with your idP

    juju run-action keystone-saml-mellon/0 get-sp-metadata --wait

# Post-deployment Configuration

In addition to the above, there are several post-deployment steps that have to
be performed in order to start using federated identity functionality in
Keystone. They depend on the chosen config values and also on an IDP
configuration as it may put different NameID values and attributes into SAML
tokens. Token attributes are parsed by mod_auth_mellon and are placed into
WSGI environment which are used by Keystone and they have the following format:
"MELLON_<attribute_name>" (one attribute can have multiple values in SAML).
Both NameID and attribute values can be used in mappings to map SAML token
content to existing and, in case of projects, potentially non-existing entities
in Keystone database.

In order to take the above into account several objects need to be created:

* a domain used for federated users;
* (optional) a project to be used by federated users;
* one or more groups to place federated users into;
* role assignments for the groups above;
* an identity provider object;
* a mapping of NameID and SAML token attributes to Keystone entities;
* a federation protocol object.

Generate rules.json for mapping federated users into the keystone database. The
following is a simple example. Constraints can be added on the remote side. For
example group membership.
See [mapping documentation](https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html) upstream.

```bash
openstack domain create federated_domain
openstack group create federated_users --domain federated_domain
# Get the federated_users group id and assign the role Member
GROUP_ID=$(openstack group show federated_users --domain federated_domain | grep -v domain_id | grep id |awk '{print $4}')
openstack role add --group ${GROUP_ID} --domain federated_domain Member

# Use the URL for your idP's metadata for remote-id. The name can be
# arbitrary.
openstack identity provider create --remote-id https://samltest.id/saml/idp --domain federated_domain samltest

# Get the federated_domain id and add it to the rules.json map
DOMAIN_ID=$(openstack domain show federated_domain |grep id |awk '{print $4}')
cat > rules.json <<EOF
[{
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "domain": {
                        "id": "${DOMAIN_ID}"
                    },
                    "name": "federated_users"
                },
                "projects": [
                {
                    "name": "{0}_project",
                    "roles": [
                                 {
                                     "name": "Member"
                                 }
                             ]
                }
                ]
           }
        ],
        "remote": [
            {
                "type": "MELLON_NAME_ID"
            }
        ]
}]
EOF

# Use the rules.json created above.
openstack mapping create --rules rules.json samltest_mapping
# The name should be mapped or saml here and must match the configuration
# setting protocol-name. We recommend using "mapped"
openstack federation protocol create mapped --mapping samltest_mapping --identity-provider samltest
# list related projects
openstack federation project list
# Note and auto generated domain has been created. This is where auto
# generated users and projects will be created.
openstack domain list
```

# Bugs

Please report bugs on [Launchpad][lp-bugs-charm-keystone-saml-mellon].

For general charm questions refer to the [OpenStack Charm Guide][cg].

<!-- LINKS -->

[cg]: https://docs.openstack.org/charm-guide
[cdg]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide
[lp-bugs-charm-keystone-saml-mellon]: https://bugs.launchpad.net/charm-keystone-saml-mellon/+filebug
[vault-charm]: https://jaas.ai/vault/
[cdg-vault-certs]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-certificate-management.html