Make the devstack plugin more configurable for federation

* In shibboleth2.xml make the ENTITY_ID and METADATA_URL configurable. * Copy over an attribute map that includes support for keystone as an idp attributes. bp devstack-plugin Change-Id: I40157b00e5d084dcc6bb5b1f4be7d9cd3a8a0fc7
2017-07-17 16:34:53 -04:00 · 2017-07-17 16:34:53 -04:00 · 1394b0c6b1
commit 1394b0c6b1
parent 4172893a5d
3 changed files with 84 additions and 6 deletions
--- a/devstack/files/federation/attribute-map.xml
+++ b/devstack/files/federation/attribute-map.xml
@ -0,0 +1,66 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!--
+    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
+    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
+    few exceptions for newer attributes where the name is the same for both versions. You will
+    usually want to uncomment or map the names for both SAML versions as a unit.
+    -->
+
+    <Attribute id="openstack_project" name="openstack_project"/>
+    <Attribute id="openstack_project_domain" name="openstack_project_domain"/>
+    <Attribute id="openstack_roles" name="openstack_roles"/>
+    <Attribute id="openstack_user" name="openstack_user"/>
+    <Attribute id="openstack_user_domain" name="openstack_user_domain"/>
+
+    <!-- First some useful eduPerson attributes that many sites might use. -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+    <!-- A persistent id attribute that supports personalized anonymous access. -->
+
+    <!-- First, the deprecated/incorrect version, decoded as a scoped string: -->
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+        <!-- <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> -->
+    </Attribute>
+
+    <!-- Second, an alternate decoder that will decode the incorrect form into the newer form. -->
+    <!--
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDFromScopedAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+    -->
+
+    <!-- Third, the new version (note the OID-style name): -->
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <!-- Fourth, the SAML 2.0 NameID Format: -->
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+</Attributes>
--- a/devstack/files/federation/shibboleth2.xml
+++ b/devstack/files/federation/shibboleth2.xml
@ -21,7 +21,7 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration

            <!-- Triggers a login request directly to the TestShib IdP. -->
            <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
-            <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
+            <SSO entityID="%IDP_REMOTE_ID%" ECP="true">
                SAML2 SAML1
            </SSO>

@ -54,8 +54,8 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
                styleSheet="/shibboleth-sp/main.css"/>

        <!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. -->
-        <MetadataProvider type="XML" uri="http://www.testshib.org/metadata/testshib-providers.xml"
-             backingFilePath="testshib-two-idp-metadata.xml" reloadInterval="180000" />
+        <MetadataProvider type="XML" uri="%IDP_METADATA_URL%"
+                          backingFilePath="metadata.xml" reloadInterval="180000" />

        <!-- Attribute and trust options you shouldn't need to change. -->
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
--- a/devstack/lib/federation.sh
+++ b/devstack/lib/federation.sh
@ -22,12 +22,18 @@ IDP_USERNAME=${IDP_USERNAME:-myself}
 IDP_PASSWORD=${IDP_PASSWORD:-myself}
 IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://idp.testshib.org/idp/shibboleth}
 IDP_ECP_URL=${IDP_ECP_URL:-https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP}
+IDP_METADATA_URL=${IDP_METADATA_URL:-http://www.testshib.org/metadata/testshib-providers.xml}

 MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-eppn}
 MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}

 PROTOCOL_ID=${PROTOCOL_ID:-mapped}

+# File paths
+FEDERATION_FILES="$KEYSTONE_PLUGIN/files/federation"
+SHIBBOLETH_XML="/etc/shibboleth/shibboleth2.xml"
+ATTRIBUTE_MAP="/etc/shibboleth/attribute-map.xml"
+
 function configure_apache {
    if [[ "$WSGI_MODE" == "uwsgi" ]]; then
        local keystone_apache_conf=$(apache_site_config_for keystone-wsgi-public)
@ -83,9 +89,15 @@ function configure_federation {
    configure_apache

    # Copy a templated /etc/shibboleth/shibboleth2.xml file...
-    sudo cp $KEYSTONE_PLUGIN/files/federation/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
-    # ... and replace the %HOST_IP% placeholder with the host ip
-    sudo sed -i -e "s|%HOST_IP%|$HOST_IP|g;" /etc/shibboleth/shibboleth2.xml
+    sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML
+    # ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders
+    sudo sed -i -e "
+        s|%HOST_IP%|$HOST_IP|g;
+        s|%IDP_REMOTE_ID%|$IDP_REMOTE_ID|g;
+        s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g;
+        " $SHIBBOLETH_XML
+
+    sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP

    restart_service shibd