Multiple IdPs problem

The documentation is modified in order to allow mulitple
IdPs using the OS-Federation avoiding conflicts among them.

The previous proposed configuration allows user from one IdP
to get mapped as user from a different IdP. With the chenge
proposed this is not anymore possible.

Change-Id: I9d62a840c122fb36c02c56a84c4f2ef8c30303c4
Closes-Bug: 1390124
This commit is contained in:
Marco Fargetta 2014-11-19 16:59:10 +01:00
parent 2dacb1ea15
commit 7cd8640e64
1 changed files with 45 additions and 3 deletions

View File

@ -37,24 +37,29 @@ Add *WSGIScriptAlias* directive to your vhost configuration::
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1
Make sure you add two *<Location>* directives to the *wsgi-keystone.conf*::
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Shibboleth module and
a *<Location>* directive for each identity provider::
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
<Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId idp_1
AuthType shibboleth
ShibRequireAll On
ShibRequireSession On
ShibExportAssertion Off
Require valid-user
</LocationMatch>
</Location>
.. NOTE::
* ``saml2`` may be different in your deployment, but do not use a wildcard value.
Otherwise *every* federated protocol will be handled by Shibboleth.
* ``idp_1`` has to be replaced with the name associated with the idp in Keystone.
The same name is used inside the shibboleth2.xml configuration file but they could
be different.
* The ``ShibRequireSession`` and ``ShibRequireAll`` rules are invalid in
Apache 2.4+ and should be dropped in that specific setup.
* You are advised to carefully examine `Shibboleth Apache configuration
@ -199,6 +204,43 @@ environment):
-->
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>
<ApplicationOverride id="idp_1" entityID="https://<yourhosthere>/shibboleth">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
relayState="ss:mem" handlerSSL="false">
<!-- Triggers a login request directly to the TestShib IdP. -->
<SSO entityID="https://<idp_1-url>/idp/shibboleth" ECP="true">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
</Sessions>
<MetadataProvider type="XML" uri="<idp_1-metadata-file>"
backingFilePath="<local idp_1 metadata>"
reloadInterval="180000" />
</ApplicationOverride>
<ApplicationOverride id="idp_2" entityID="https://<yourhosthere>/shibboleth">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
relayState="ss:mem" handlerSSL="false">
<!-- Triggers a login request directly to the TestShib IdP. -->
<SSO entityID="https://<idp_2-url>/idp/shibboleth" ECP="true">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
</Sessions>
<MetadataProvider type="XML" uri="<idp_2-metadata-file>"
backingFilePath="<local idp_2 metadata>"
reloadInterval="180000" />
</ApplicationOverride>
</ApplicationDefaults>
<!--