Browse Source

Make the devstack plugin more configurable for federation

* In shibboleth2.xml make the ENTITY_ID and METADATA_URL
  configurable.
* Copy over an attribute map that includes support for
  keystone as an idp attributes.

bp devstack-plugin

Change-Id: I40157b00e5d084dcc6bb5b1f4be7d9cd3a8a0fc7
changes/80/484480/2
Kristi Nikolla 4 years ago
parent
commit
1394b0c6b1
  1. 66
      devstack/files/federation/attribute-map.xml
  2. 6
      devstack/files/federation/shibboleth2.xml
  3. 18
      devstack/lib/federation.sh

66
devstack/files/federation/attribute-map.xml

@ -0,0 +1,66 @@
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
few exceptions for newer attributes where the name is the same for both versions. You will
usually want to uncomment or map the names for both SAML versions as a unit.
-->
<Attribute id="openstack_project" name="openstack_project"/>
<Attribute id="openstack_project_domain" name="openstack_project_domain"/>
<Attribute id="openstack_roles" name="openstack_roles"/>
<Attribute id="openstack_user" name="openstack_user"/>
<Attribute id="openstack_user_domain" name="openstack_user_domain"/>
<!-- First some useful eduPerson attributes that many sites might use. -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
<!-- A persistent id attribute that supports personalized anonymous access. -->
<!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
<!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
</Attribute>
<!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
<!--
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
<AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
-->
<!-- Third, the new version (note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<!-- Fourth, the SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
</Attributes>

6
devstack/files/federation/shibboleth2.xml

@ -21,7 +21,7 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
<!-- Triggers a login request directly to the TestShib IdP. -->
<!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
<SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
<SSO entityID="%IDP_REMOTE_ID%" ECP="true">
SAML2 SAML1
</SSO>
@ -54,8 +54,8 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
styleSheet="/shibboleth-sp/main.css"/>
<!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
<MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000" />
<MetadataProvider type="XML" uri="%IDP_METADATA_URL%"
backingFilePath="metadata.xml" reloadInterval="180000" />
<!-- Attribute and trust options you shouldn't need to change. -->
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>

18
devstack/lib/federation.sh

@ -22,12 +22,18 @@ IDP_USERNAME=${IDP_USERNAME:-myself}
IDP_PASSWORD=${IDP_PASSWORD:-myself}
IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://idp.testshib.org/idp/shibboleth}
IDP_ECP_URL=${IDP_ECP_URL:-https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP}
IDP_METADATA_URL=${IDP_METADATA_URL:-http://www.testshib.org/metadata/testshib-providers.xml}
MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-eppn}
MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}
PROTOCOL_ID=${PROTOCOL_ID:-mapped}
# File paths
FEDERATION_FILES="$KEYSTONE_PLUGIN/files/federation"
SHIBBOLETH_XML="/etc/shibboleth/shibboleth2.xml"
ATTRIBUTE_MAP="/etc/shibboleth/attribute-map.xml"
function configure_apache {
if [[ "$WSGI_MODE" == "uwsgi" ]]; then
local keystone_apache_conf=$(apache_site_config_for keystone-wsgi-public)
@ -83,9 +89,15 @@ function configure_federation {
configure_apache
# Copy a templated /etc/shibboleth/shibboleth2.xml file...
sudo cp $KEYSTONE_PLUGIN/files/federation/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
# ... and replace the %HOST_IP% placeholder with the host ip
sudo sed -i -e "s|%HOST_IP%|$HOST_IP|g;" /etc/shibboleth/shibboleth2.xml
sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
# ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders
sudo sed -i -e "
s|%HOST_IP%|$HOST_IP|g;
s|%IDP_REMOTE_ID%|$IDP_REMOTE_ID|g;
s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
" $SHIBBOLETH_XML
sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP
restart_service shibd

Loading…
Cancel
Save