From fc3dcc8071bd0c83618ad8abe19d8922669fa3d0 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 21 Dec 2018 15:48:50 -0800 Subject: [PATCH] Enhance authn sections in federation guide Modernize the examples on using the CLI to authenticate with an external IdP or keystone IdP, add tips on how to get needed information, and add examples on authenticating with horizon. Partial-bug: #1793374 Change-Id: Ieec899a1551be69da232196c59b9aeed0e85f5f5 --- doc/source/_static/horizon-login-idp.png | Bin 0 -> 6258 bytes doc/source/_static/horizon-login-sp.png | Bin 0 -> 16334 bytes .../admin/federation/configure_federation.rst | 196 +++++++++--------- 3 files changed, 96 insertions(+), 100 deletions(-) create mode 100644 doc/source/_static/horizon-login-idp.png create mode 100644 doc/source/_static/horizon-login-sp.png diff --git a/doc/source/_static/horizon-login-idp.png b/doc/source/_static/horizon-login-idp.png new file mode 100644 index 0000000000000000000000000000000000000000..bd298f6546ebca6adb67d864cea53fe1c75e6033 GIT binary patch literal 6258 zcmaKxbySpXx5ghzcxh2VLQ1;3yJP4OBn2b}5CudeMMNY85lIP=mj-ERP$^*u=|+)| z5RvY)^{n&9S?fFJUTc_P9%i09_P+M-+C=ECK-cQwqt5QOy8p9fYVHz_TGTxHQzQ8e~V-+1kBeCY;#rw4r;`Llm6JT%Uh!Ts*y zaPgwb1eYNem6clqSGyIj&q&D|e4G47rm9qtX5`&R9KL=Wmn9pj?JQIRvKduzBfE-> zZABSbSXiE_Q#hU{-`7ojg8U{R-rvS&PnkXmYN^{^Op^9meh}WeyxsQc!=fkq_<~4h zZ!c1jG@ z>Vh^^0|NsGhqnrhS7VaK$HxZ)tky15QkGiO-q~Fp+1lDtM%R~@-y8Z@=hCI|I22k` zPe4>uR8msXfB)xgp%f2yT*bJWni|1q^y7!St0n;fjrtrfyB!V>59flXmhqUv*JY&zCR1J%W#?q&FLJ5Dq@RzV7aeQSC&OJmZZIg~OEU0+08qUB^_I z<8yNt=g!X_T)%#uM9jj%LXxhp)T#l6LJjaPE-p??OuT;m8tyCYvz|5dLr_pqQBjeI ziVqhtHa7mgwAAtGlVziC`I|S`$o!8Vhg+Qt>gwv+EHB=@dv|bfu(afuE0LC##&7w4 zeq-Zw=E0mn!7#5y&HMN7^LIsmzLp@sU@(z~@5{>#+$(!~d#9%@xf1JrHg3Av-@CWf z9z``ZIhmfGPI^u1ldS*^E$t-=ipHiUFHcX${*1t1^KHUTeIjCFN5{wK3k>H7GTr1a zE-U-Ga{=>OTAZ2r!-o%cB5it2)4dB@XS-#=?vquVl9CgBeLp{h5h0KI`ud`yqpwN( zu&}c3?(9rAJ~ZN?baHZ1S5bNU_N_ol?`HF{Zm3R(LR@n4K{tD*nT17;g_N|kk&%(O z+xXp|(~?9)QDx0Xgvg(@tqfkTYD-|(laZC}>FIeWV{K<=7Z4zm)Dw8L^CJWYzsuow zBKM6hhYEDM3Uhf=lNDP6D=X{a(a{@&g56w=J9qBvY-;N0Tw4n|l@}8e^Yil?w}8ov zh`|oc1#Dxw6WHO#gXa#2g1`SU{3d_8GnAfA=jyul_ALv7M5y>}eGALZzUAo1mZ&A` zx8tm$@~O^i`S+4JXnR>Z~W5wp%-@7lRplX~4->j~#HaE-RDspji%gV~8 zpd4Wpl}`QM_wSR@%dD)f7E0>w-%sW`Ix>QX42+GjlM^6_P)hW*>q03q0s;dwGcgl`V`F0@BUcE+ zB0C4Cr)8L!Zf(vsfe;vT?QZwWJ5^55e9QDhX9(JNz!?sVQADV4CH5r?hU(^VTRr38 z*z zsq0uN7DA2-@7cVI0nOsKX;#tG)nD`#T*~k?I879my!IL${R~QD#9>W zTH!s?8g+Ca=Pf%s&u^b1wi1Mptm^9f5>wZ%U4sSC($a=0-Lkf(uOGxNrT`}uK(ElWojxdCFRHZdU07<*`(Xv`UD-RlLlufXMEa&&Dofy*yw1;K8TOC z#h#=vrRYh!$Td_|@uFM1Zq804a#J$qMKIraYD!jGXm z*yEG4<4xDS>WAA)$;ruZ26*`R9y9g3pA)%d=snnO!NWQ+Yp_eX^T~s73HyFdJkGak$ zE87HmDk0%JQfM+6dm9&(S+9`qcp@A)EVJ8(%@o)62>o;(Ki`oc=zqNkkH_FK6A1Yw z+1ud?1q_g?dz`k3e>4;xW*}`PWsbcqTa{{(E2DMq<2lL3V@3jNJe@me^p{`dFMbcy z^78WP#~a~chYSo2;TRhV@!{zV6l<>=?cg2NmX_X0|4A7hEeR|D0yiHMAb4@X5R{wsm%+ zi$$F;iHw+-V~LTDJtux~DMUQ_fmvKRwzRbh^TmCt415d*jgLvr>XaAg8h=F3U#+Zi z!usPD#_i*@%>6df32%vIY9)-;0&j9!9$loNTJ5~q(8s1V0_&mVH>e^U@#**rdv;RZ zgc4S1fOg@+e1xFt*fgWMa8dH`+a$NuF0QDkz6e88U=+Xgzo&jEuMVb*t{#02XAlz=ooNZqM6um4F~NWuPt~|z zCRFWiw~abtBv4|ZprxT9BqD;N1}MtR%zSYQ1oPy{6EkyjETr$X^nR!OS-cAKOr00I zjEs!1FjSN;P&h2~bhGvb8}gxq;B$1X37W8&dyrj9|J5C=m9LypX5YZ;nV69O@;H; zpRQhNB7LpGEGQ!K-LtN}z1{iF*+%VL(CO}&ayV%=$5}M;vYXXhoSZJ0RMEu5L}%ZXS`e16-@Ym34gK&wny&L2`I#CY zf6>wWqpsp?Y=o(BjN118{{GGma5OMWbwz~|`FD^!B2rRQH!+XdM!X7M58zz0hExBh71WrvF3e z=9ZR#8H2Y&AvHR|di)_}0fBc=>snee6&QCwWA^tg%*_F*?%%&3q4EaGvbMIi$pf?% z@ulj$nVA^|Sw9x|hTI+l0QL;Iz@wvGSH7euIX;z2n~~RkQ5jD--c(=lfHQ`|$8S|% z1Z5RgG9 z?;9HYfuSEW0v&^ltY8;M0)!XUUuA>uG^rp%lI4Sg;8Nrj?#qA3JSi!uv!f$5EiEV1 z)}*E7bdPq_`hH%kL?+(13`JMH%Vq0X4?;dKdZwTNk%7d(OLX$H;VP!4rZ%4)t$`yV zsd+5!kSyc-s}%xKT|FGCy9Nu;4GRT;s39kzTyk_#ypy9NY;LJd3%wS#5Hnj&s`#Dh z{0(wOBZ~K<7jfkkM3sNx7z^Xd$CWQPac1wOKDFda(#nnOmkC380x&8t4h#-5HDTe8 ziCk#tj+Yt7rzst9*-BZ8i-&MZK`n{YDdDTr{3o+1kc}=aDzX6fH8UUjHZ;PNkWi4C zb`jUb#bwava$I+q&oECycg>v{2u3XAJ(PKCcO-qK`ko9S?rB`NjbS$Fk#?nE&0T`xX^&A zczAd|K0fTa=?H?0iwn}5!@D`tu)Mh$3>U#?u8ozQgS0&ab;(hG-j^v~mXl*-YWiRN-0xn zrfHe=DQKQ+ZWNWZy_`Dg#W>M#PTT@fh z!-M}ZqpGSZ_l;5!AtAK8J1;jk@CqGiXHO4NrKzD|g>4%)85tQ(%-&ebS#^Cq=obz^ z=s!e6LqkK`TU#!!uC%>LH+vj}B*6x#<(w|^2g5N@yZvSmnn+$bPLr0FPDn^d;=zdk%a9K~J3ZcC?oHY5limdAg`uXV7PO5KSC6GLZw@$w%jJ96 zAxK&}pgOR+YP)*g&>$KOAkUXsI!cv>F|F>k6&S!1&o|~u)Y|y@lm5r5I(dn}U|ot* zwu6(?jT<-SngeMO0oT!DfU`tSTQ@gign)p6gNLWlYdN;1MgFM$3b*N9iS*5u^JWl8 zc6NMW39luTT;}s;uqwdMD`>1j;w9~o3I#@ms8avGgPOQQVvoRKJ=s|lw9&|D2UtIxbt$S{N=gbcPk}K`gCzyk zvAhktV?fl@)C9X_S2+RUinc1+%|%lqjDKAh3x%es>8r%VD>Zj7I=skvU8x|Jwz0X% zKtradBrv_e^HXqcLtJ6|0s8XO#4m}7_&#HPme zzT&#WH*j`#mXSeUZpK4S0LzGsjJ$9>nk)dmYJB`E1%;udrA%q;u%U$oEghZAR#0aI z>_}`ZX@~+NWt6|4AM`SA3sE0AGqmIFZ?!oTd&=HlH4X|od&O%3orUUaL=Ien)MG=B zqM3%!vM~ixl_Vkg*#B=+>c9I{pd64DAfm8X``h}}Zl>L;*4DGBqOQ;#aBgh%oGif3 z@B(jlp8n#+i}dtfyYksd0-?Ues+5!z==vBIc%N9J7}&y6O?r&65NGpQaAjZ$rl+Qe zkc0h}^J|wce}^^*^hxg4Sz^QhpK@|?S`NMut(O~2^5&Un193o01pLa)Is$6e$s58) zk8b4(jX=snbU-!#Q@8*2Ux>m!@VA@@2?~~HWwmy7t-y_F+u?)0<_l(#*4GE=D&Un2V4UQ9Mb0t zvxBD2{QNtpM_pYSBBAJ}^wIWqRwkwp6dULX$KpMuV{}KP-jyC>;4(|_Gp42>@6aWK z<{#T-!oR(Q(e34a;EajELBa1i0rCg)IO^)1D=W^pihnoHtis_RE@vcHM$TCg15J^i z9=->^vH^wADTUC5M4@`)ud71|fLv2jR=!bcIWaZWfF3D?&e*eO1m$J{CkIaOkG83HZ9Q()IOj*2~Ux7c0#$Mh%bv5G!aeZru!(DB&uo3Z~3g zwUy-UOCGIzC?!zhS-IB_#;P25 z@T$YZ!(Ckj7Q-}zenO8lsl!y5vk6U6y%Gs!6w3K23J1Zz**G5UQnA?-Q(vyCY4t4m zhV|i#z*9T>6G87grdLGv%AUKc;Iklw=KlGG<}Q{Y{+u`@=nfTPV+!HNjQKAIpTjNb zTu>L@#b5B#f9D_lQmD$%Uq*0RTIot|alU6eds`N5_P^}(xtC~1c8YzM!tK@WQa-zX zY47G%of@)gHbpGvP0u5~@H{>y&44p>ZW-ZN><%r=x?;mo)5dzeK?#4BxCi#*!lds=QKHDav)j|j} zR_Dz+Ij-vq6AtgZ#Mx)=xLTgd6sJj4O!VYGSm*y>rd>|o5)jBiQW+K)Lw{wOIOX@w r{{E126)0uCW7kW3DWGY literal 0 HcmV?d00001 diff --git a/doc/source/_static/horizon-login-sp.png b/doc/source/_static/horizon-login-sp.png new file mode 100644 index 0000000000000000000000000000000000000000..46831c92011ad01b3afb8aa0082837c266c1927c GIT binary patch literal 16334 zcmb`u1z6QVw=TW~X^`#)6#)rpX*MC!AuTQ4-JoF(Hf{GJp4 z^S}2y&pG!V9(mN+vwy#tHEX@^yVlHvDJi_cLMKCqKp&l z#sYt#*-L9VK_E{$|NcHoV17alfzUwSN{GF4PupMcaL1oqL^a;)*?!S0I|mj zg+M4C(?K98pHLyc#QsCm8>R;?g*oJpZ_p%_jfTS|sBYhRcz9S?6zY|ifB$ap?E--) zY_6=(#!CNeZWa<03^jkQy+>PRp{cH(KWd)BW5bl7y)BCXnb6@+KUi$`3dF(2#tt@o zX_7r7ED>zTMJ8WuI`}ylGV<+h-k9lNN01_*#-GGTs_x)jN^$Y`SE=+ROK{<*LIAKdrf zn_dJPKF%~C={8_r-`XmESHxe22KhxgVd-LEKqEg+Ac>~%k?KE$0K4eR(9xm$qLZdf z>*T85+RSv_$OC8XUW{t%6A9@yAd52P8l|2Mg4L48#*7lYBr0nXLyYUaY2n<_T+0$n@5^p z5uWNCYN0E!{kskSxsT(B-|{%Ppw)_b^u5+pW$S+%~hDXl=1hR#XbZCW0Fwp z7I}VKfzm(&3Wj=z#^Ob5{TXs7_5VTN>N%s9+}5dlPxM4+ajcfFM(GRU;y6@PYqXS8~=%X5aW!&AYJ$_h_hm1zs z;``9?ru&?lOCpP)$)eylqp$Vat=l1&4mo;I6?}Q-m9ajd9jxT{I76J{B+OK?RxKz{ zQsN2qb=tCj`TM&1?-ieMzFc0SqtW)nP#OBw$TdGq&G{RaPMQy;@h4}bd`XQPEEmgC z3YL_(h>YGAF%M;lFfRIDVF1t2HTx2GwVUaqc#BPjM}=#lszY=T-OHb7f2G-OSdEg( zZTE1fXHx!O~zM>ECXVqn{};3|shcIT_Z+T?3kaUu(@7A<;^ z?Gu;};yfsb`Mh!Gl$6-ckb-Z{4rrN%!ToevZ&#Y&DZ*onT;9h?#gBDCfMedv3|C-m+pk@fzl|luG+0 zxVu|}RmVs+fH{c;R^eJZ`3<;1Cd<|DZl0(a%Px&j_2T5)MNF6I87>~8x2V0+vcM*h z3H^y*%QOXA_raobK3A-Hg$3K@Ezz~`(t=4 z_rZ_F+M8DkbUnD`v`h*Ellt>;?`4V|eLLNG(Cj&#%`Hk3Uf7kCm{2@K)QiB$Y|~Gi zgXra!uAoqLwg;B?<>bpG=9kTux0k6lcTg%3&(6dl4rYz?!KELPsH2u#ra28WD(hge zXoZjNMFIa&gOxtDCzAmI~m@d*2SG44iRQqugFl6I`y!a@(M5 z@_jdo#i^7OE%TorN?uN^V4=$zw7JTXgg12XaXr_sv|^(+PBxAR!@BHC&Yg)|4N~7 z(p-Uofl`*wdOm=ZjLL8-8d~__@;eo1;IV4+K0f6Y;TW%Wi`>?+_D+CiO#sxu^2ez4 z={IeoERP`ae)=_d(B~c*Guou7hSY*_yO1&8%XGuBEA1NNx*X4qY5RvylP{N7h3Zy? z-!R^cKQcKj4$CU_ljniXhm&461K4u6j4QaY9dEj9=BmOnB~UI7c0~B5x}ziCmwgrT z%Yse2|60~;ORUu%1gLZOZDks)lCW-Fdkr#h01HkL)LlG_I_7WRD?}^g#mZZ+FOHNQ zxRPfW7_ONwc0U&u8ZCOB%F4eHxr`{Tw!ZtsiJ6Px?&;d; zl)rQYAGF#;$yz}um_BwZIKk%ELSH=!{VmzAeuRx9&<9MuHK6~(G0g`|5e8lO!TD2; z_`R3vQu?#{vUhE?5yJYoWK?Y;p0;Wp9@h-iKALJ;7B}BQLbmQCWfS!DxGm8KXmEn| zw~&&7?T->?E)Ib$@A&w9&qA*%ji-R?OY(m)?vC0zd>B?UORXIcVaFq*qCHXDVtdjm zFMF=(DRb1H*^eRdK)>4aEiFEn2R$Zq9q#^h-%(yse&tY`kUCL0>m93hU3+3iNwP_V zFl)U}|6ZFGH4CcwWMjVkC(_5+kW#4*k+wnWm=>Bgp8)If5wU*lcTociu#?M}W!a&Ak~wXR`soFYuDRl87J+GCp1ZQN-?)Z}(hNh+2X`Ii z`Q*O=MBNRgPbOZQm1zq3Th~^b_BXt|TO$YDlyR!Zq9{~|xM#?!YRViAxB76-^i5m3 z`KV`Va4AKI?}h73gu?tzyKv=yk^(3!MDjdoopWiyB>+t(UalZR|r~ zlJr4Ha9PoZ=LO3Lf}D4mH7pO6zdyBU1JOr5}BoJnH4)X}iP>wVXhMZb@w>$|I1#deX zaJ;IE5kErVW_P)m==FQzQ8W}@Sh&q8^7VevSvKNxY$C_yJ%L$I_9SzaR)ggyG3t`4 zg1CNaL(z1f$vxa4mDhGFMnUbX9(zg{Ga-Kr{Fn4X_Q=*Q`79kICGNA7n23E^pm*q; z7kHbJ7{ZR-$3!}1zsrV&Z>~5+;6$Cl=@SM5kLl_op@nIjek&oT!WIX+3>>iJ_1x_^ zhFM>m`Y7RQd$q9lWvEy&2Jqspt|1rW?%QgCpkQ2R^fQXT#DD8H=iJDw86>MnxNYD&PeQ@!mKUFz+P{8z3ZKXYLr?v1O_ zj=LPuGLD^~R{$O90x4wq2J~!e?r#Tyw3-^G6u`njP=>$*HjWO$7#|XBc<>ZMXw)h= zhXS1NE}+fhy>EeTA`o=VowWSRiWG9w3U{;&{_omA6w_Ww1-_98ej_o(g>yZ9@mk_C zW3;^G0eP8;1 zYHk8-PwM9@2m~)f)zDV_5x?(^^%P3l) zshDO{^l>ACGwMtwsQKIFrHfGAHAnduT+VegDd$`%5;ygK2>d*sX8rJFB<0B&hBp|w z{}Pr?um#S~Z<9M7(`H{3wS~g_sM#WLj65CFpoQyx3`jk6)-M3-Y{Xcud=A|zw<%_* z)JbQ9qipXL#zo(Yg~LBM#66dX`C*e#^e>$lpb$ANQ&5YeN*Laaivhi1bUyx^k0@(0 zt`SBlYJ_jjCDTsyFIPM*pfjR(Bi3)A6)6;4kVP9S!4pumP{?UVv zp!{{YK)!fVF7u_m2u-O}wc)-7%0-Ib(7I!gK?S<@c^BTNPX^p6;0riEpFvtp0NFkK z;RfOZs739YI%*&inj0pI*b*l;uABGr9Kk1~aSUbe>pE3D?g;7Jv$#Z-|BCkr$FFAGI9D(k`D7Dtx{^>(Riss+$98wyx*q%7$(8mu7)3VF1W5ckz0utY2r? zYaS6Sp~YFcE;|Bw2%=+8gipQj9Uc@N1O4R! zYizeCP&mm8Z0?g)&ss8Xr`x`x|CK2sRC`_hLfOVZ&Oa{nS8Jo)I|6h*xTP_W1Smk1=0kQ#QZFI>xCJ|s*4p#!83*ZzW5z8#2ww%}TQnEO*RAQ;BI zs7NShs!xAqq~D`-k@Z}?62Rb~XX)y0lK-lV6mmw*)w$ z+%k^q<8EWLkkTjomn2Xc?OgOH$?O*4%L>VnT%V3>21Bu*STb=5wqLP~0YM+L7&`AS zp7m}hqxG}ju34Sd@n3n=XA+@N1~ZTyyuf*%2a=(ZO@&LnW+X-CO0G!%-`u}JVs^}V zCg(WTIS~&Op-q5z4O!H(&u-UXa;trN{ivyk^vmO>1j?Bv=9hG1iPhx;k)*sCaC~!D zbOk9UH@&1xzX-kN+x5*4m!Z+H3R7-`SnSjRBM^jyg4Z2IAjw5NI3?mTdw|C33?2g{ zlw5bN2J&R~udcQ(hfxVxx`fC9={pLgE;4hLlV_VX44GRIDVwz97*lz&2lD_zew=Il zFajr6iAhAaE?esGIkPmO^=+t3zW4ndl9RkW_D3nzM!U-=$xEYDa{ZVp}+Q~v?-j+j+fFDE77U7P7;wqpibT>i`VjX$MuyBD3L*3G^V&83c; z`5LU{^$kb6m$eS^zEndB@ou!1j7lu?Dql=w{ZiR=6zkw0fI{x(dbvmGboU3hRBD`) z-?TlKaod7%FVD9&bs-1qllcOWXw1{L6&piKVnxeAvPsjnW+TBYb6vy1#^gVaohYbq z8w~qhb#AyF8&=PGm-HG;#dV{5`x1H27qsdgzcF|3?5kDp+a;x>e`xCR3#YVw<4xGR z5stm(qcYC>j*z0taWHt)SiklrwX@D{d&q=GR?9>pcN6(&r_LnkUvl4XSf9m|5x}&NTuA~oP*pMm(ut=_w(5V z!NU{b@$~yWJ_J**pvKD`AW`yNGncd5{XrZ>Qwj~Vjs)4%nK?)P{t+vJir^*s_Cqwc z51Lni_=C0yc7>n-$IwNtsUpAf)(7&--oA}+;9GmM)iq!D_<5U>EIu>2U;XA=>oYtY zwY-29UxpZI_=9H5+)}tUkd?xBx{=NmaMpWBHaG3 z)vh~QcP-RT?J-NPoiu9^KRB7LkR>;cJRu~w=dD)Dvp?;3=6B(JD0|}nNgMJo<>-+xF>eS{el*;rT(+A%C3~ zot@+lJqikZSbH*#OuSI)M_cc)4t!oy``WU3}gV8WeU5yWpKC3PDd zO-?rl9UL4+M@M~bFMQzlml){iX-)2s5%#yczKPh>!rteT8vT8Jn?vbywN}%8eSLv} zfrQNJxdjDmdOyFWZ=P)Q+qGQhx3 zxH*{GdUw)aSy>qt7G^e-W>^5LcQ95{o7{s{3%DKZ9sI5MUn&Y;uaD))a;M;ud#DsT zU+lq3wQIlhZy=%ol&Ut<(_5S@)}U-PfQb9=FGb+fFhC?tvc+F|wa z?H1?=b{D`DOw+zuO_zy@iPe5x`1J`<9&SCJk42mN{rh(!`A5HUO3M%{YiiC87MdO& z9!zyw9zA*#`1$8gL8!EYL#0&C@#ST~c5A|PmUxKv!06J_(wSo6I~ml`ZRc8ZbO@D= z3uUN@iOD}UDXM#5_dXjN8{P2J0%fLz+OIhhbcJ2TkmXnJraygGdVxwyNJwZJQyo(= zT(zR9re?wurCwYbf%jPV0~TxGeF z7zoGb)B4!x=-PGGS}H1E)QeeOyqKvl?5H&ESzTSFqobR#(DT?J49_NF(RSV*dseFM zwKGw8eYzDA6g25m3pu*7?+b&qKHM1k^I+1w<; z!^5Md7V*BaU+Wa|JiEF(9p<&3IhwU9_i%R)3<+V=uK81t>D%}F_b)L#h&>+IRBB@& z34TR_d3}A&lu#6HRka>~Ei5f3H{aspB`qCVZ1w14@S9R~6lCNvE}Ly=ttWqd2UsLy zV`FRzJ_B!H0uxiyo2#n|6g^PjFUvqSD%Wdv=3gjMD^|!9)>T$^04@=PLA(f_*B8$? z^8p#cP}rI}FkP;{1V#>Kc(~ZSyRtG0ECEWWUv-aAAO-@(sRQS{U}K1)IO_ml(|51` zMwR+M+i%fq-ObQ0EeqfWTTw%vG)A4)5O*%k{l))Ess6tLObTe7xb#vIl9HvmO;Z<1 z>l+)Al9Dzv6>Sd<0u_aCzF|Tt($60mS?z$h0!wEOt1>Y%TGg>@ekOc8QK*WDfB?4A zOyJ&8@<>QX=^}nDQ*1w4@znSGAP{0lZ|qmEUMUy8Q%L4`#>U1bAdu>Fba#EKtgP&H zdGO57C4H(?hu5exbbWoDQouEmS|lS~u6R-*g^Tg|bJOlf(!T-nIX5?VH0KTY0lu^w z6ciNrSvH9k4ASRv!7X1kg~w!;Tfpz(Zl==M*vLrF`?w3AL7~D41_GFKSP&l{pVQ;y zL!ErJ%oQg$-g_MA?|k{xU@USXN=hLBl=1NdMq}axFTdhcIc*Ki%*==dAluBjQi-NWr+$P>y& z-}{?^WKIF+KlbataZ~cQ29m{5WBlO)DexH-IYBfv=-rB=m2hAETfQ zr}7>Sr3)mn>4PbjhhUOc*)6q{l$59yt0$|`@u@l_CnpzclxGNfoUpat;gOKkdtW<_ zn;~Jec${voc13iwx4Z7oCL|r2T69^xKvVn}l8TdEEK-_!~i-YtQqY z$!y7pwg41-sH2mUAN(HFP(iSddD#+www+L2n!1Xh;8(~=76i+C5I=Kj&GxaEdXi}mz{|aYTtT~ zQ`5iW6n5Igr2Wttio3YD2&P;zs*M0)a5xg~%y|=o2VL~J)Lo;8!CoR<%uGzEv|tDvUJ1)` z00$-eqC-R7Hxe{l59Y6T%Uc^88ltF09tL@r2=r@0u&ME&WZae#s1{?nVbW_5B{K?& zP{1gFS1^cKp9cPM{=0(Do<9!`46JWxz=akS6`|5v6V3QXWx4E52_1LhccZYJqg;dS zW*JmQR#qM#d%&j!3hCM{-X3yt17BYm&uG^0tJ2G2Z~znZ#xaa;pNK7KXj3V-k+PeO&H^~I(RXlZEyn{sW2zGI3C4K?_YqVvO6e*Da?^+-Kp0EVxwu9S16)YR3{6&PpUEw%WVaKIk!ZzCci zwuUpQ@$sGZXKPPR9HF5F1zTV&cJq~7vLO%%we#Pz0QJgxdPD4y+x=Z;O!YKxqA5uE z> ztQh^wJFq9;0*D>Z0wyIt7d<__uyBifDi7PwBdE0W?;4A7Ul42njd#v(0P?1`y!X!c z#~Awo6vX`v5D7eiDfN6JNxH+3)y?@_l;X**i?e{>c6YKNRBnJU zKK2An%A5A+_YXXK`2-vrIAzClXwQ-kL83d=Am9k3!#vgK!LLMxM0ervXuSx(VJ4y^ z}lq5X+h0!-gx;zUs`KJWp;{@dKu2sA^q)?Jz64X&r>4Zh4Qie%n zDLa~**42>%^hc0L5-4ssJ6^c7`6{bnF4r1sR$gEhW4qGDL2k7G4rws0gq=arS+I;y zZ?k@aL(_Xzllq5>zM;fNke3$wYh}&_9XjsF+zt$#qRL#7xWR^d^OkjfamgI)kwd@U z?Y=#@FRH%IQ>^*yYRQzx$lIiY48h6gW%pa;OzWLil7Q8PH3gcQhiC6En$|Ic*BPRk z7?3o7dPn|s!2g6nyWR!kC|>$$JqIx)EyVCEgWx%VT85s|VqeeTpeU(%Fl|kGx{2BrY#GW-JpI+z7=?`vC#8>Q?9ZG>r&&`-310%D_O>y@p{Z(aqi$Xqj{#0Eo_ z-{mWJ1jmREnLGThW9ee&TLQVoS~>IDi(9rRr3Z}~_1^OZ1MJPn5viFHzYW`Y`QhnUP?shO=nCfY} z)FQ7O|DJVtaFCF+byoQq>72!QzI>E_?GzhVwZmFBfC`s``DC0gv9XnaIKUsRW+9@? zbQ4IZPOYVyf4V9n+Q&vz? z8Ub?3BBjM?E4t0#3IIw@P7X-ANL6WTWQ=xkHidDa*M5Pb`5m87;Xvuvo>JcLHj3yk6!9O5i z?uQ*)TrV;fS$t-uzOu5ROFqaO(>To(dZH`Z3=- zFc29TNl>_?Vg=zg+9Twz^^)FM5$*(D zGjsorr|oQwMUGU|$?2&Je|mYj9SA*`2ig?dj5cU}oP_WT&zNDfa6w#U>4Fvy%E8HL zky2JxHZ(ARiG{^2e6YVyNkt`W*#3At43q&n+3@AwzP&yj7Fh!N2B6gaaSt_EM*Osr zpFi(*CX4mGkCB>S-=}xi*4DVmu;jwbc*@%Z@oiELjxJG-@4H{s#v z=?Yu>`#!)^V?BV56#_z;hUVk__`<@%++0(A{Y>KdfGxL%hDNF_8wMCLnJ5cililwk z{ac*kq9P!E35kg>fw(xFZ>TOR3g7ogNKC8)s)d1J3k+p)auSS8r^&UH1)R@(}G2uOB}cmQ28@a8^AT-fHuI2Sx%QNfNTngPkxZefCOs3)vpzlSAcf%XQ}=( zRXPWNWp!;$jcL+pSm+0k|NC=4M9wEvP2SQs4pvSo!qnF13Jb z2@J!>+gs1~dIP*ADL(!&5>gbUz|>9(8Y(IYukCv%wEc3)PjTECcLLfQ*j+~me`4P}%E)oU2HOCG)7Eo1! zq_B(gfxQD-mB4IN`By3_?!8YLf7HvG@7oYTesS=8P_fl;_ma-#l2paq_^4Af<731l z85)@VtVT>Gu7W6|;FOC%vJv_BGd^uZh(Zo8JF#tidb8drvovEKBcuFyG~Z`K4H^{! zNfM~C1XT3^Z>+l~{V@|KMt@v+g1(=ojhhVw(ms1t@8vbp>`zeYGr#bRplMPL=7asA ziESYVwF@Y?`nTZBVG3`yfY)#5Kr~LxhD0LBw<*CFv+4OM4YGo{@u`7dlmd6tVLb<; zA4pu?o@c#fG_F@x&il446(9IzqRGJ-vK-sSE=T&e^_g3o`xqXYB!%NaW^>cc%($O< z_?MB1!Eh!dd1iC8G81G-LG}w7FqYq34(Xdb+O}G7yi)4lR_ecTu(tjs4nygTUr_gGc?p%Z&Y z#IwB_NW;wa{pC|ZnVGYN7HwEok90*Mcee-j6!pkq-Q|VF7=>8Dv`Ci`y1HFUkAIx$ zzTS9NFx0LrYhzuI&pmw;3dTKM(e-}rFE1F$uLiw@cSj-Ir{F_FXYk9@7=|I;RwogT+^D+jFCxuXGWhR@yYmiaS=m{( z$Xdl7R#D4Tj0J4&QeG}RR2vMcpbeJG90lFE^^Dz`->@c`_b1xIug@}f6l}D;8%}@w z#XJ>y$+8Qkx~!t9YwwE{_*v*Jam&@QbbCXjl+19Nj@yi-R(@vY*?j8Vbk*Y}qz8tm z{1>sKyiyiM%%zYhkzTb{<3Bx~BR#At4RCqNuUbPl1EYpb3@=W`y=Py$Xb^8-$a6EujNQNU7ZtX0H zCHxs#u1OAzhP%vQQepm+kf!@zl+(~|XayE0dX!Xf= zP;h?XVKmETv_s{>0kPxEFS|NEf84Rm&3cj!xLd)%egi|!Lw!oYIJumT0m&xp4=T3X zkFtG)LqaQ5TAsv}93_Hzw%)#`4OW*3YTln#(&Vy|vzl^SzY?{kZSkQTj&>J^v#*%p zi3)c0jyV-hO0rN?!{61-bb=fzBK848!({DjW6lB(%Be!ISX z8(GzftqZy}>HOHV&cUmru%W~$BNpNHJH?dq6qb^8?GmB3OUWzx>2LME)Y-{W=pNuP z#8sz0K0i}$-MQ^@UyiDi@KUdHxbYU|O6agIhA#fHmX{Mw$YW(G9@#!O6nnI{CWDR5 zD31^2B2+8f+07BrvhsfWR!a+?E$>*dAtW;Y1vK;>-6$s}twaT8P)HN3M4;~2kDKRa z1a>y*72|d|bD^(zS@|wEsw)r~X^+q0;G)?mEbsuv=zia}R9?qy4I6mF8i$+BJ@s~+ zOQ%5DLJO&h&{*b!r!2EP#b4K=g%-!h=vPOnY2ADd9e%g6GGzPu?Nhup9mXsR#12%} zpwwO}+6RA(sc(hf&k~(d!xzyb<|6&e6Z!{4bn~w=xr#F_iTs{T8||aDu=!Ir1m`Ux z(b2B=9$lEh-`()$M(nL-L69S+BI$suLHH zsufeBGA$ou%DQIpz4a|`Vv9p|7M^p`u7^Dl)37B-Yf77|c4DW^jVPMjAV*5}_`y`{ z?Bxs3F(&tG7+C0$^=;LR(|0e|)Jb$-QLHAC>1QTm6ar}U<3Lz2A^B8PRlW39$1$i_ zTen61bF5c&kv3dsHlb_oiB_ph1!hYAIkHb>ot)jWugK-I0&BrD9W9dt3A*Excx8fT zdPOWxhsmL zBJQhM`GUE5hq){FFcg$~dh5mf<|u-UoD6RxyRoHch(ri7L!N%}&y%JnrP`4(`_1FH-;ZmO}lmn%m-Uh-~BxVR9xJ&oXHJx?7zTl-;r+sIvadNU%NXgRfe?yr{I z{MSq&%POI4^#)h~^fC^pT8?fJ4^*~87j?1cuXPk*XQ%Wkt;+?vM{&>VH-TK@FzNiL zQ)LNux9Shzz6N8Nh6dKrX`L`7Z6HpqHYEv(^mt9) zxb2QE_VHY%pX|^8Dd{+t1?nK0Gi;o_M#gsEVlMPx2JZy>4wGbbui$)mn{5V*WZ zuSHP+dPwE$+xptH6xp1hE3MV=A+bzfzZy$QtB{fCsg&M7B*l{qg;V=D;e`P5K-Ti* zgA_!DMmJP`d#1_Ow>fT7n3{fnrsw^e?i-!G_qV?S^;zu7P?mOrC!m#C;o20(>R$hL ziR|GWu^RJQ^`z&0BO(Lq`(B2?vnLp&)N^JR!RfQ%eWRHr>DTR_DO)pm6MM>cfHs?9 z)c7g%{Ks+`j7~?JAMzcsY@2qL^H0{cw0}1W(wjkiif{#Q0zu<|Rq^fPkZjKA+s(Q9 z*h<0U%DcxQzwqCKuaK9aNeG|_aYa8h_m;4C=8+X24U6DWw1=Q#v(={dMT4Nr91rP;S8(}dUW)3*~D^}rJ{&fsrm}BPpiW6ZhCl!KRom1`O zcQ#Qk*4)Qb)bjeO*x^N^*3#Y{(O9XE+dwRb>)v+yE*BQK9t|QE#6=apl-P zW6!FQAr+4c-2SzY`%kVc{`;M;|9G*{;R6lR)0(_CaQ~7b+K?ouGnRJqcijgrwQfFZ z9CZl9!6Z^_bA%k{byX=%Ude#L2-(>m2855QuP}4C|I{Lje^%N2WlH&)%E;Kw;(JVi zw(9lBx9LA4YL6ji$}&$6xX?}$Z|h|#W=aB3LeCwNT&-5C1g;-JW)R;b|Ib}b{J%c% zB3-JGrCz-I?Fj^uR818MHtC=207LQ=F9=w3ApYlwLV|8Z5cB*qmH5))Hn)n(^cD$)-)1kxbXiyE3%H>>L=8PMkqEBCB@>IaivqlpArr|TE zOHxPgavT#DtC~`O(K}4%!~kw+r+0FTx#NSk#pWHa0i&3!XAZuk%%Cfn~Q3 zmto2s3$B@bksyN+!Avnj19t2Ag1QLLTkXK+#S75oqw4==s*fq#f6A{`yP|KGwq5OK z@ptvmqMjVn2G(50*(HzUP1!sw>BJg7lIfY$l*QV{5r9mfoWe;@&e^7iHi__|o<-i9 z!uWS%yoDO*{oOXwPA(P~P#OeLENSziu=djW_ZrGJG=XXL-tZ3>0hU7Ji;54U)wI^n zqYoD8So>Ok%D{C`2B(d*o6qDe?VYY~6@SPNH1gJI^q(-@Z-qF)f3vOd+OB;V3XnI2 ze1FvZ>6&MIGh2CoEhI#ca&9Juzqdc#A}^AuK`}b(wNPxRih`UXJeQX+-DUMm z1Ec@Ivgk68fRwrb^}4nC2XhftffLn@XM>LAe0Oi!V{n;H$yhQ^EoAI~LZ)eLMXH>X zcvgJ!&!@T+pT2(alM1;Wd36;F@38zYyKmLWNziPLJxRzJobb+Y9(_ZO=Xh)H)Nni; zZrR~ulg!U#Ip{T10UjoC>+sa1_hjdJ=igmu(s(c!iy zDB?dl`bkSW(+up zdWaTOCM#HgKo}Zz$MbSJ)T!01n2PKc+1y-S8)@^zdht5?nHd!LeJ2z6N37f_Vyneb z*@5e!gsgvE>%Vhn+V~lcNfolIjv53aTY{XDAPV;WJewCC&LNQcV7>Ar>8GpXp-6O+ z%8m_ppyrQd70LyHaDtoO;6IKH^J7@jTIy0w$45u(B$(FE)z#Eq*FeFAZko8>r+8rn z1qER5>MGudx5x}$KE8eC+1zGe@0|>RxcKK=gh|jP$S{WEZ9mn0{@lZTw`__ -Performing federated authentication ------------------------------------ +Authenticating +-------------- -.. NOTE:: +Use the CLI to authenticate with a SAML2.0 Identity Provider +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Authentication with keystone-to-keystone federation does not follow these steps. - See `Testing it all out`_ to authenticate with keystone-to-keystone. +.. FIXME(cmurphy): Include examples for OpenID Connect authentication with the CLI -1. Authenticate externally and generate an unscoped token in keystone -2. Determine accessible resources -3. Get a scoped token +The ``python-openstackclient`` can be used to authenticate a federated user in a +SAML Identity Provider to keystone. -Get an unscoped token +.. note:: + + The SAML Identity Provider must be configured to support the ECP + authentication profile. + +To use the CLI tool, you must have the name of the Identity Provider +resource in keystone, the name of the federation protocol configured in +keystone, and the ECP endpoint for the Identity Provider. If you are the cloud +administrator, the name of the Identity Provider and protocol was configured in +`Identity Provider`_ and `Protocol`_ respectively. If you are not the +administrator, you must obtain this information from the administrator. + +The ECP endpoint for the Identity Provider can be obtained from its metadata +without involving an administrator. This endpoint is the +``urn:oasis:names:tc:SAML:2.0:bindings:SOAP`` binding in the metadata document: + +.. code-block:: console + + $ curl -s https://samltest.id/saml/idp | grep urn:oasis:names:tc:SAML:2.0:bindings:SOAP + + +~~~~~~~~~~~~~~~~~~~~~ +Find available scopes ~~~~~~~~~~~~~~~~~~~~~ -Unlike other authentication methods in the Identity Service, the user does not -issue an HTTP POST request with authentication data in the request body. To -start federated authentication a user must access the dedicated URL with -Identity Provider's and Protocol's identifiers stored within a protected URL. -The URL has a format of: -``/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth``. +If you are a new user and are not aware of what resources you have access to, +you can use an unscoped query to list the projects or domains you have been +granted a role assignment on: -In this instance we follow a standard SAML2 authentication procedure, that is, -the user will be redirected to the Identity Provider's authentication webpage -and be prompted for credentials. After successfully authenticating the user -will be redirected to the Service Provider's endpoint. If using a web browser, -a token will be returned in JSON format, with the ID in the X-Subject-Token -header. +.. code-block:: bash -In the returned unscoped token, a list of Identity Service groups the user -belongs to will be included. - -Read more about `getting an unscoped token -`__. - -~~~~~~~~~~~~ -Example cURL -~~~~~~~~~~~~ - -Note that the request does not include a body. The following url would be -considered protected by ``mod_shib`` and Apache, as such a request made -to the URL would be redirected to the Identity Provider, to start the -SAML authentication procedure. - -.. code-block:: console - - $ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth - -Determine accessible resources -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -By using the previously returned token, the user can issue requests to the list -projects and domains that are accessible. - -* List projects a federated user can access: ``GET /OS-FEDERATION/projects`` -* List domains a federated user can access: ``GET /OS-FEDERATION/domains`` - -Read more about `listing resources -`__. - -~~~~~~~ -Example -~~~~~~~ - -.. code-block:: console - - $ export OS_IDENTITY_API_VERSION=3 - $ export OS_TOKEN= - $ export OS_URL=https://sp.keystone.example.org/v3 - $ openstack federation project list - -or - -.. code-block:: console - - $ export OS_IDENTITY_API_VERSION=3 - $ export OS_TOKEN= - $ export OS_URL=https://sp.keystone.example.org/v3 - $ openstack federation domain list + export OS_AUTH_TYPE=v3samlpassword + export OS_IDENTITY_PROVIDER=samltest + export OS_IDENTITY_PROVIDER_URL=https://samltest.id/idp/profile/SAML2/SOAP/ECP + export OS_PROTOCOL=saml2 + export OS_USERNAME=morty + export OS_PASSWORD=panic + export OS_AUTH_URL=https://sp.keystone.example.org/v3 + export OS_IDENTITY_API_VERSION=3 + openstack federation project list + openstack federation domain list +~~~~~~~~~~~~~~~~~~ Get a scoped token ~~~~~~~~~~~~~~~~~~ -A federated user may request a scoped token, by using the unscoped token. A -project or domain may be specified by either ``id`` or ``name``. An ``id`` is -sufficient to uniquely identify a project or domain. +If you already know the project, domain or system you wish to scope to, you can +directly request a scoped token: -Read more about `getting a scoped token -`__. +.. code-block:: bash -~~~~~~~ -Example -~~~~~~~ + export OS_AUTH_TYPE=v3samlpassword + export OS_IDENTITY_PROVIDER=samltest + export OS_IDENTITY_PROVIDER_URL=https://samltest.id/idp/profile/SAML2/SOAP/ECP + export OS_PROTOCOL=saml2 + export OS_USERNAME=morty + export OS_PASSWORD=panic + export OS_AUTH_URL=https://sp.keystone.example.org/v3 + export OS_IDENTITY_API_VERSION=3 + export OS_PROJECT_NAME=federated_project + export OS_PROJECT_DOMAIN_NAME=Default + openstack token issue -.. code-block:: console +Use horizon to authenticate with an external Identity Provider +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - $ export OS_AUTH_TYPE=token - $ export OS_IDENTITY_API_VERSION=3 - $ export OS_TOKEN= - $ export OS_AUTH_URL=https://sp.keystone.example.org/v3 - $ export OS_PROJECT_DOMAIN_NAME=federated_domain - $ export OS_PROJECT_NAME=federated_project - $ openstack token issue +When horizon is configured to enable WebSSO, a dropdown menu will appear on the +login screen before the user has authenticated. Select an authentication method +from the menu to be redirected to your Identity Provider for authentication. + +.. image:: ../../_static/horizon-login-sp.png + :height: 400px + :alt: Horizon login screen using external authentication -------------------------------------- Keystone as an Identity Provider (IdP) @@ -555,8 +536,7 @@ a ``sp_url`` of ``https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP`` and ``auth_url`` of ``https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth`` . The ``sp_url`` will be used when creating a SAML assertion for ``mysp`` and signed by the current keystone IdP. The ``auth_url`` is used to retrieve the -token for ``mysp`` once the SAML assertion is sent. The auth_url has the format -described in `Get an unscoped token`_. +token for ``mysp`` once the SAML assertion is sent. .. code-block:: console @@ -564,24 +544,40 @@ described in `Get an unscoped token`_. --service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \ --auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth mysp -Testing it all out ------------------- +Authenticating +-------------- + +Use the CLI to authenticate with Keystone-to-Keystone +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Use ``python-openstackclient`` to authenticate with the IdP and then get a scoped token from the SP. -.. NOTE:: - ECP stands for Enhanced Client or Proxy, an extension from the SAML2 - protocol used in non-browser interfaces, like in the following example. - .. code-block:: console - $ openstack \ - --os-service-provider mysp \ - --os-remote-project-name federated_project \ - --os-remote-project-domain-name federated_domain \ - token issue + export OS_USERNAME=demo + export OS_PASSWORD=nomoresecret + export OS_AUTH_URL=https://idp.keystone.example.org/v3 + export OS_IDENTITY_API_VERSION=3 + export OS_PROJECT_NAME=federated_project + export OS_PROJECT_DOMAIN_NAME=Default + export OS_SERVICE_PROVIDER=keystonesp + export OS_REMOTE_PROJECT_NAME=federated_project + export OS_REMOTE_PROJECT_DOMAIN_NAME=Default + openstack token issue +Use Horizon to switch clouds +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +No additional configuration is necessary to enable horizon for +Keystone to Keystone. Log into the horizon instance for the Identity Provider +using your regular local keystone credentials. Once logged in, you will see a +Service Provider dropdown menu which you can use to switch your dashboard view +to another cloud. + +.. image:: ../../_static/horizon-login-idp.png + :height: 175px + :alt: Horizon dropdown menu for switching between keystone providers .. include:: openidc.rst .. include:: mellon.rst