74 lines
3.1 KiB
YAML
74 lines
3.1 KiB
YAML
name: keystone-saml-mellon
|
|
subordinate: true
|
|
maintainer: OpenStack Charmers <openstack-charmers@lists.ubuntu.com>
|
|
summary: Federated identity with SAML via Mellon Service Provider
|
|
description:
|
|
The main goal of this charm is to generate the necessary configuration
|
|
for use in the Keystone charm related to Service Provider config
|
|
generation, trust establishment between a remote idP and SP via
|
|
certificates and signaling Keystone service restart.
|
|
Keystone has a concept of a federated backend which serves multiple
|
|
purposes including being a backend part of a Service Provider in an
|
|
authentication scenario where SAML is used. Unless ECP is used on a
|
|
keystone client side, SAML-related exchange is performed in an Apache
|
|
authentication module (Mellon in case of this charm) and SAML
|
|
assertions are converted to WSGI environment variables passed down to
|
|
a particular mod_wsgi interpreter running Keystone code. Keystone has
|
|
an authentication plug-in called "mapped" which does the rest of the
|
|
work of resolving symbolic attributes and using them in mappings
|
|
defined by an operator or validating the existence of referenced IDs.
|
|
tags:
|
|
- openstack
|
|
- identity
|
|
- federation
|
|
- idP
|
|
series:
|
|
- xenial
|
|
- bionic
|
|
- eoan
|
|
provides:
|
|
keystone-fid-service-provider:
|
|
interface: keystone-fid-service-provider
|
|
scope: container
|
|
websso-fid-service-provider:
|
|
interface: websso-fid-service-provider
|
|
scope: global
|
|
requires:
|
|
container:
|
|
interface: juju-info
|
|
scope: container
|
|
resources:
|
|
idp-metadata:
|
|
type: file
|
|
filename: 'idp-metadata.xml'
|
|
description: |
|
|
Identity Provider metadata XML file that conforms to
|
|
saml-metadata-2.0-os specification. This file contains idP
|
|
identification information and its certificates with public keys
|
|
that can be used for signing and encryption on the idP side in
|
|
IDPSSODescriptor and other information which can be used on the
|
|
service provider side to interact with that idP.
|
|
sp-private-key:
|
|
type: file
|
|
filename: 'sp-private-key.pem'
|
|
description: |
|
|
Private key used by Service Provider (mod_auth_mellon) to sign
|
|
and/or SAML-level (not transport-level) encryption.
|
|
sp-signing-keyinfo:
|
|
type: file
|
|
filename: 'sp-signing-keyinfo.xml'
|
|
description: |
|
|
Specifies a signing KeyInfo portion of SPSSODescriptor to be used
|
|
in Service Provider metadata. This should be an XML portion
|
|
which in the simplest case is formatted as shown below:
|
|
This fragment should contain a certificate that contains a public
|
|
key of a Service Provider in case an idP requires that SAML
|
|
requests are signed.
|
|
The term "signing certificate" is a misnomer. A signing
|
|
certificate in metadata is actually used for signature
|
|
verification, not signing. The private signing key is held
|
|
securely by the signing party (SP in this case). In a SAML
|
|
exchange an SP signs SAML messages with its private key and idP
|
|
validates them via a public key embedded in a certificate present
|
|
in the SP's metadata XML and vice versa for idP.
|