Browse Source

Fix nits in code blocks in federation guide

Fix inconsistent indentation of code-blocks, ensure shell samples
correctly differentiate betweeen root-required commands and non-root
commands in accordance with the openstack-manuals recommendations[1],
and use proper markup for interactive shell examples.

[1] http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/common/conventions.rst

Partial-bug: #1793374

Change-Id: Ia9e5280d131e1aa50af41aff6155eb07954b7d15
tags/15.0.0.0rc1
Colleen Murphy 5 months ago
parent
commit
9bc2b8875d

+ 125
- 125
doc/source/admin/federation/configure_federation.rst View File

@@ -100,10 +100,10 @@ Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
100 100
 Names should be equal to protocol names added via Identity API v3. Here we use
101 101
 examples ``saml2`` and ``openid``.
102 102
 
103
-.. code-block:: bash
103
+.. code-block:: ini
104 104
 
105
-       [auth]
106
-       methods = external,password,token,saml2,openid
105
+   [auth]
106
+   methods = external,password,token,saml2,openid
107 107
 
108 108
 Create keystone groups and assign roles
109 109
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -126,23 +126,23 @@ both of which are exposed to the CLI via `python-openstackclient
126 126
 
127 127
 For example, create a new domain and project like this:
128 128
 
129
-.. code-block:: bash
129
+.. code-block:: console
130 130
 
131
-    $ openstack domain create federated_domain
132
-    $ openstack project create federated_project --domain federated_domain
131
+   $ openstack domain create federated_domain
132
+   $ openstack project create federated_project --domain federated_domain
133 133
 
134 134
 And a new group like this:
135 135
 
136
-.. code-block:: bash
136
+.. code-block:: console
137 137
 
138
-    $ openstack group create federated_users
138
+   $ openstack group create federated_users
139 139
 
140 140
 Add the group to the domain and project:
141 141
 
142
-.. code-block:: bash
142
+.. code-block:: console
143 143
 
144
-    $ openstack role add --group federated_users --domain federated_domain Member
145
-    $ openstack role add --group federated_users --project federated_project Member
144
+   $ openstack role add --group federated_users --domain federated_domain Member
145
+   $ openstack role add --group federated_users --project federated_project Member
146 146
 
147 147
 We'll later add a mapping that makes all federated users a part of this group
148 148
 and therefore members of the new domain.
@@ -166,9 +166,9 @@ Identity Provider
166 166
 Create an Identity Provider object in keystone, which represents the Identity
167 167
 Provider we will use to authenticate end users:
168 168
 
169
-.. code-block:: bash
169
+.. code-block:: console
170 170
 
171
-    $ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
171
+   $ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
172 172
 
173 173
 The value for the ``remote-id`` option is the unique identifier provided by the
174 174
 IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
@@ -224,70 +224,70 @@ Mapping objects can be used multiple times by different combinations of Identity
224 224
 As a simple example, if keystone is your IdP, you can map a few known remote
225 225
 users to the group you already created:
226 226
 
227
-.. code-block:: bash
228
-
229
-    $ cat > rules.json <<EOF
230
-    [
231
-        {
232
-            "local": [
233
-                {
234
-                    "user": {
235
-                        "name": "{0}"
236
-                    },
237
-                    "group": {
238
-                        "domain": {
239
-                            "name": "Default"
240
-                        },
241
-                        "name": "federated_users"
242
-                    }
243
-                }
244
-            ],
245
-            "remote": [
246
-                {
247
-                    "type": "openstack_user"
248
-                },
249
-                {
250
-                    "type": "openstack_user",
251
-                    "any_one_of": [
252
-                        "demo",
253
-                        "alt_demo"
254
-                    ]
255
-                }
256
-            ]
257
-        }
258
-    ]
259
-    EOF
260
-    $ openstack mapping create --rules rules.json myidp_mapping
227
+.. code-block:: console
228
+
229
+   $ cat > rules.json <<EOF
230
+   [
231
+       {
232
+           "local": [
233
+               {
234
+                   "user": {
235
+                       "name": "{0}"
236
+                   },
237
+                   "group": {
238
+                       "domain": {
239
+                           "name": "Default"
240
+                       },
241
+                       "name": "federated_users"
242
+                   }
243
+               }
244
+           ],
245
+           "remote": [
246
+               {
247
+                   "type": "openstack_user"
248
+               },
249
+               {
250
+                   "type": "openstack_user",
251
+                   "any_one_of": [
252
+                       "demo",
253
+                       "alt_demo"
254
+                   ]
255
+               }
256
+           ]
257
+       }
258
+   ]
259
+   EOF
260
+   $ openstack mapping create --rules rules.json myidp_mapping
261 261
 
262 262
 As another example, if Shibboleth is your IdP, the remote section should use REMOTE_USER as the remote type:
263 263
 
264
-.. code-block:: bash
265
-
266
-    $ cat > rules.json <<EOF
267
-    [
268
-        {
269
-            "local": [
270
-                {
271
-                    "user": {
272
-                        "name": "{0}"
273
-                    },
274
-                    "group": {
275
-                        "domain": {
276
-                            "name": "Default"
277
-                        },
278
-                        "name": "federated_users"
279
-                    }
280
-                }
281
-            ],
282
-            "remote": [
283
-                {
284
-                    "type": "REMOTE_USER"
285
-                }
286
-            ]
287
-        }
288
-    ]
289
-    EOF
290
-    $ openstack mapping create --rules rules.json myidp_mapping
264
+.. code-block:: console
265
+
266
+   $ cat > rules.json <<EOF
267
+   [
268
+       {
269
+           "local": [
270
+               {
271
+                   "user": {
272
+                       "name": "{0}"
273
+                   },
274
+                   "group": {
275
+                       "domain": {
276
+                           "name": "Default"
277
+                       },
278
+                       "name": "federated_users"
279
+                   }
280
+               }
281
+           ],
282
+           "remote": [
283
+               {
284
+                   "type": "REMOTE_USER"
285
+               }
286
+           ]
287
+       }
288
+   ]
289
+   EOF
290
+   $ openstack mapping create --rules rules.json myidp_mapping
291 291
 
292 292
 Read more about `mapping
293 293
 <https://developer.openstack.org/api-ref/identity/v3-ext/#mappings>`__.
@@ -301,9 +301,9 @@ request made by an IdP. An IdP may have multiple supported protocols.
301 301
 
302 302
 You can create a protocol like this:
303 303
 
304
-.. code-block:: bash
304
+.. code-block:: console
305 305
 
306
-    $ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
306
+   $ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
307 307
 
308 308
 The name you give the protocol is not arbitrary. It must match the method name
309 309
 you gave in the ``[auth]/methods`` config option. When authenticating it will be
@@ -356,9 +356,9 @@ considered protected by ``mod_shib`` and Apache, as such a request made
356 356
 to the URL would be redirected to the Identity Provider, to start the
357 357
 SAML authentication procedure.
358 358
 
359
-.. code-block:: bash
359
+.. code-block:: console
360 360
 
361
-    $ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
361
+   $ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
362 362
 
363 363
 Determine accessible resources
364 364
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -376,21 +376,21 @@ Read more about `listing resources
376 376
 Example
377 377
 ~~~~~~~
378 378
 
379
-.. code-block:: bash
379
+.. code-block:: console
380 380
 
381
-    $ export OS_IDENTITY_API_VERSION=3
382
-    $ export OS_TOKEN=<unscoped token>
383
-    $ export OS_URL=https://sp.keystone.example.org/v3
384
-    $ openstack federation project list
381
+   $ export OS_IDENTITY_API_VERSION=3
382
+   $ export OS_TOKEN=<unscoped token>
383
+   $ export OS_URL=https://sp.keystone.example.org/v3
384
+   $ openstack federation project list
385 385
 
386 386
 or
387 387
 
388
-.. code-block:: bash
388
+.. code-block:: console
389 389
 
390
-    $ export OS_IDENTITY_API_VERSION=3
391
-    $ export OS_TOKEN=<unscoped token>
392
-    $ export OS_URL=https://sp.keystone.example.org/v3
393
-    $ openstack federation domain list
390
+   $ export OS_IDENTITY_API_VERSION=3
391
+   $ export OS_TOKEN=<unscoped token>
392
+   $ export OS_URL=https://sp.keystone.example.org/v3
393
+   $ openstack federation domain list
394 394
 
395 395
 Get a scoped token
396 396
 ~~~~~~~~~~~~~~~~~~
@@ -406,15 +406,15 @@ Read more about `getting a scoped token
406 406
 Example
407 407
 ~~~~~~~
408 408
 
409
-.. code-block:: bash
409
+.. code-block:: console
410 410
 
411
-    $ export OS_AUTH_TYPE=token
412
-    $ export OS_IDENTITY_API_VERSION=3
413
-    $ export OS_TOKEN=<unscoped token>
414
-    $ export OS_AUTH_URL=https://sp.keystone.example.org/v3
415
-    $ export OS_PROJECT_DOMAIN_NAME=federated_domain
416
-    $ export OS_PROJECT_NAME=federated_project
417
-    $ openstack token issue
411
+   $ export OS_AUTH_TYPE=token
412
+   $ export OS_IDENTITY_API_VERSION=3
413
+   $ export OS_TOKEN=<unscoped token>
414
+   $ export OS_AUTH_URL=https://sp.keystone.example.org/v3
415
+   $ export OS_PROJECT_DOMAIN_NAME=federated_domain
416
+   $ export OS_PROJECT_NAME=federated_project
417
+   $ openstack token issue
418 418
 
419 419
 --------------------------------------
420 420
 Keystone as an Identity Provider (IdP)
@@ -433,9 +433,9 @@ Keystone as an Identity Provider (IdP)
433 433
 
434 434
     Example for apt:
435 435
 
436
-    .. code-block:: bash
436
+    .. code-block:: console
437 437
 
438
-            $ apt-get install xmlsec1
438
+       # apt-get install xmlsec1
439 439
 
440 440
 .. note::
441 441
 
@@ -457,9 +457,9 @@ example:
457 457
 
458 458
 .. code-block:: ini
459 459
 
460
-    [saml]
461
-    idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
462
-    idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
460
+   [saml]
461
+   idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
462
+   idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
463 463
 
464 464
 ``idp_entity_id`` is the unique identifier for the Identity Provider. It
465 465
 usually takes the form of a URI but it does not have to resolve to anything.
@@ -471,30 +471,30 @@ necessary:
471 471
 
472 472
 .. code-block:: ini
473 473
 
474
-    certfile=/etc/keystone/ssl/certs/signing_cert.pem
475
-    keyfile=/etc/keystone/ssl/private/signing_key.pem
476
-    idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
474
+   certfile=/etc/keystone/ssl/certs/signing_cert.pem
475
+   keyfile=/etc/keystone/ssl/private/signing_key.pem
476
+   idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
477 477
 
478 478
 Though not necessary, the follow Organization configuration options should
479 479
 also be setup. It is recommended that these values be URL safe.
480 480
 
481 481
 .. code-block:: ini
482 482
 
483
-    idp_organization_name=example_company
484
-    idp_organization_display_name=Example Corp.
485
-    idp_organization_url=example.com
483
+   idp_organization_name=example_company
484
+   idp_organization_display_name=Example Corp.
485
+   idp_organization_url=example.com
486 486
 
487 487
 As with the Organization options, the Contact options, are not necessary, but
488 488
 it's advisable to set these values too.
489 489
 
490 490
 .. code-block:: ini
491 491
 
492
-    idp_contact_company=example_company
493
-    idp_contact_name=John
494
-    idp_contact_surname=Smith
495
-    idp_contact_email=jsmith@example.com
496
-    idp_contact_telephone=555-555-5555
497
-    idp_contact_type=technical
492
+   idp_contact_company=example_company
493
+   idp_contact_name=John
494
+   idp_contact_surname=Smith
495
+   idp_contact_email=jsmith@example.com
496
+   idp_contact_telephone=555-555-5555
497
+   idp_contact_type=technical
498 498
 
499 499
 Generate Metadata
500 500
 -----------------
@@ -514,9 +514,9 @@ vhost::
514 514
 To create metadata for your keystone IdP, run the ``keystone-manage`` command
515 515
 and redirect the output to a file. For example:
516 516
 
517
-.. code-block:: bash
517
+.. code-block:: console
518 518
 
519
-    $ keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
519
+   # keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
520 520
 
521 521
 .. NOTE::
522 522
     The file location should match the value of the configuration option
@@ -535,11 +535,11 @@ signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
535 535
 token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
536 536
 described in `Get an unscoped token`_.
537 537
 
538
-.. code-block:: bash
538
+.. code-block:: console
539 539
 
540
-    $ openstack service provider create \
541
-    --service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
542
-    --auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
540
+   $ openstack service provider create \
541
+   --service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
542
+   --auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
543 543
 
544 544
 Testing it all out
545 545
 ------------------
@@ -551,13 +551,13 @@ scoped token from the SP.
551 551
     ECP stands for Enhanced Client or Proxy, an extension from the SAML2
552 552
     protocol used in non-browser interfaces, like in the following example.
553 553
 
554
-.. code-block:: bash
554
+.. code-block:: console
555 555
 
556
-    $ openstack \
557
-    --os-service-provider mysp \
558
-    --os-remote-project-name federated_project \
559
-    --os-remote-project-domain-name federated_domain \
560
-    token issue
556
+   $ openstack \
557
+   --os-service-provider mysp \
558
+   --os-remote-project-name federated_project \
559
+   --os-remote-project-domain-name federated_domain \
560
+   token issue
561 561
 
562 562
 
563 563
 .. include:: openidc.rst

+ 473
- 473
doc/source/admin/federation/mapping_combinations.rst
File diff suppressed because it is too large
View File


+ 26
- 26
doc/source/admin/federation/mellon.rst View File

@@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
28 28
 You'll also need to install the Apache module `mod_auth_mellon
29 29
 <https://github.com/UNINETT/mod_auth_mellon>`_.  For example:
30 30
 
31
-.. code-block:: bash
31
+.. code-block:: console
32 32
 
33
-    $ apt-get install libapache2-mod-auth-mellon
33
+   # apt-get install libapache2-mod-auth-mellon
34 34
 
35 35
 Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
36 36
 
@@ -41,22 +41,22 @@ Add this *WSGIScriptAlias* directive to your public vhost configuration::
41 41
 Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
42 42
 a *<Location>* directive for each identity provider
43 43
 
44
-.. code-block:: none
44
+.. code-block:: apache
45 45
 
46
-    <Location /v3>
47
-        MellonEnable "info"
48
-        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
49
-        MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
50
-        MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
51
-        MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
52
-        MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
53
-        MellonIdP "IDP"
54
-    </Location>
46
+   <Location /v3>
47
+       MellonEnable "info"
48
+       MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
49
+       MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
50
+       MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
51
+       MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
52
+       MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
53
+       MellonIdP "IDP"
54
+   </Location>
55 55
 
56
-    <Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
57
-        AuthType "Mellon"
58
-        MellonEnable "auth"
59
-    </Location>
56
+   <Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
57
+       AuthType "Mellon"
58
+       MellonEnable "auth"
59
+   </Location>
60 60
 
61 61
 .. NOTE::
62 62
     * See below for information about how to generate the values for the
@@ -69,9 +69,9 @@ a *<Location>* directive for each identity provider
69 69
 
70 70
 Enable the ``auth_mellon`` module, for example:
71 71
 
72
-.. code-block:: bash
72
+.. code-block:: console
73 73
 
74
-    $ a2enmod auth_mellon
74
+   # a2enmod auth_mellon
75 75
 
76 76
 Configuring the Mellon SP Metadata
77 77
 ----------------------------------
@@ -80,10 +80,10 @@ Mellon provides a script called `mellon_create_metadata.sh`_ which generates
80 80
 the values for the config directives `MellonSPPrivateKeyFile`,
81 81
 `MellonSPCertFile`, and `MellonSPMetadataFile`.  It is run like this:
82 82
 
83
-.. code-block:: bash
83
+.. code-block:: console
84 84
 
85
-    $ ./mellon_create_metadata.sh  https://sp.keystone.example.org/mellon\
86
-      https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
85
+   $ ./mellon_create_metadata.sh  https://sp.keystone.example.org/mellon\
86
+   https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
87 87
 
88 88
 The first parameter is used as the entity ID, a unique identifier for this
89 89
 Keystone SP.  You do not have to use the URL, but it is an easy way to uniquely
@@ -107,15 +107,15 @@ can upload the file, or you may be required to submit the file using `wget` or
107 107
 Fetch your Identity Provider's Metadata file and copy it to the path specified
108 108
 by the `MellonIdPMetadataFile` directive above. For example:
109 109
 
110
-.. code-block:: bash
110
+.. code-block:: console
111 111
 
112
-    $ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
113
-      https://myidp.example.com/idp/saml2/metadata
112
+   $ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
113
+   https://myidp.example.com/idp/saml2/metadata
114 114
 
115 115
 Once you are done, restart the Apache instance that is serving Keystone, for example:
116 116
 
117
-.. code-block:: bash
117
+.. code-block:: console
118 118
 
119
-    $ service apache2 restart
119
+   # service apache2 restart
120 120
 
121 121
 .. _`mellon_create_metadata.sh`: https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh

+ 23
- 23
doc/source/admin/federation/openidc.rst View File

@@ -24,43 +24,43 @@ Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openi
24 24
 
25 25
 To install `mod_auth_openidc` on Ubuntu, perform the following:
26 26
 
27
-.. code-block:: bash
27
+.. code-block:: console
28 28
 
29
-  $ sudo apt-get install libapache2-mod-auth-openidc
29
+   # apt-get install libapache2-mod-auth-openidc
30 30
 
31 31
 This module is available for other distributions (Fedora/CentOS/Red Hat) from:
32 32
 https://github.com/pingidentity/mod_auth_openidc/releases
33 33
 
34 34
 Enable the auth_openidc module:
35 35
 
36
-.. code-block:: bash
36
+.. code-block:: console
37 37
 
38
-   $ sudo a2enmod auth_openidc
38
+   # a2enmod auth_openidc
39 39
 
40 40
 In the keystone vhost file, locate the virtual host entry and add the following
41 41
 entries for OpenID Connect:
42 42
 
43
-.. code-block:: none
43
+.. code-block:: apache
44 44
 
45
-  <VirtualHost *:5000>
45
+   <VirtualHost *:5000>
46 46
 
47
-      ...
47
+       ...
48 48
 
49
-      OIDCClaimPrefix "OIDC-"
50
-      OIDCResponseType "id_token"
51
-      OIDCScope "openid email profile"
52
-      OIDCProviderMetadataURL <url_of_provider_metadata>
53
-      OIDCClientID <openid_client_id>
54
-      OIDCClientSecret <openid_client_secret>
55
-      OIDCCryptoPassphrase openstack
56
-      OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
49
+       OIDCClaimPrefix "OIDC-"
50
+       OIDCResponseType "id_token"
51
+       OIDCScope "openid email profile"
52
+       OIDCProviderMetadataURL <url_of_provider_metadata>
53
+       OIDCClientID <openid_client_id>
54
+       OIDCClientSecret <openid_client_secret>
55
+       OIDCCryptoPassphrase openstack
56
+       OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
57 57
 
58
-      <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
59
-        AuthType openid-connect
60
-        Require valid-user
61
-        LogLevel debug
62
-      </LocationMatch>
63
-  </VirtualHost>
58
+       <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
59
+         AuthType openid-connect
60
+         Require valid-user
61
+         LogLevel debug
62
+       </LocationMatch>
63
+   </VirtualHost>
64 64
 
65 65
 Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
66 66
 If not using `OIDCProviderMetadataURL`, then the following attributes
@@ -75,9 +75,9 @@ for more details
75 75
 
76 76
 Once you are done, restart your Apache daemon:
77 77
 
78
-.. code-block:: bash
78
+.. code-block:: console
79 79
 
80
-    $ sudo service apache2 restart
80
+   # service apache2 restart
81 81
 
82 82
 Tips
83 83
 ----

+ 155
- 153
doc/source/admin/federation/shibboleth.rst View File

@@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
28 28
 You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for
29 29
 example:
30 30
 
31
-.. code-block:: bash
31
+.. code-block:: console
32 32
 
33
-    $ apt-get install libapache2-mod-shib2
33
+   # apt-get install libapache2-mod-shib2
34 34
 
35 35
 Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
36 36
 
@@ -39,23 +39,25 @@ Add this *WSGIScriptAliasMatch* directive to your public vhost configuration::
39 39
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
40 40
 
41 41
 Make sure the keystone Apache virtual host configuration contains a *<Location>* directive for the
42
-Shibboleth module and a *<Location>* directive for each identity provider::
42
+Shibboleth module and a *<Location>* directive for each identity provider
43 43
 
44
-    <Location /Shibboleth.sso>
45
-        SetHandler shib
46
-    </Location>
44
+.. code-block:: apache
47 45
 
48
-    <Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
49
-        ShibRequestSetting requireSession 1
50
-        AuthType shibboleth
51
-        ShibExportAssertion Off
52
-        Require valid-user
46
+   <Location /Shibboleth.sso>
47
+       SetHandler shib
48
+   </Location>
53 49
 
54
-        <IfVersion < 2.4>
55
-            ShibRequireSession On
56
-            ShibRequireAll On
57
-       </IfVersion>
58
-    </Location>
50
+   <Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
51
+       ShibRequestSetting requireSession 1
52
+       AuthType shibboleth
53
+       ShibExportAssertion Off
54
+       Require valid-user
55
+
56
+       <IfVersion < 2.4>
57
+           ShibRequireSession On
58
+           ShibRequireAll On
59
+      </IfVersion>
60
+   </Location>
59 61
 
60 62
 .. NOTE::
61 63
     * ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
@@ -68,15 +70,15 @@ Shibboleth module and a *<Location>* directive for each identity provider::
68 70
 
69 71
 Enable the ``shib2`` module, for example:
70 72
 
71
-.. code-block:: bash
73
+.. code-block:: console
72 74
 
73
-    $ a2enmod shib2
75
+   # a2enmod shib2
74 76
 
75 77
 Restart Apache, for example:
76 78
 
77
-.. code-block:: bash
79
+.. code-block:: console
78 80
 
79
-    $ service apache2 restart
81
+   # service apache2 restart
80 82
 
81 83
 Configuring shibboleth2.xml
82 84
 ---------------------------
@@ -86,9 +88,9 @@ configure Shibboleth and upload your Metadata to the Identity Provider.
86 88
 
87 89
 Create a new keypair for Shibboleth with:
88 90
 
89
-.. code-block:: bash
91
+.. code-block:: console
90 92
 
91
-    $ shib-keygen -y <number of years>
93
+   # shib-keygen -y <number of years>
92 94
 
93 95
 The newly created key file will be stored under ``/etc/shibboleth/sp-key.pem``.
94 96
 
@@ -101,20 +103,20 @@ file. You will want to change five settings:
101 103
 
102 104
 .. code-block:: xml
103 105
 
104
-    <ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
106
+   <ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
105 107
 
106 108
 * Set the IdP entity ID. This value is determined by the IdP. For example, if
107 109
   Keystone is the IdP:
108 110
 
109 111
 .. code-block:: xml
110 112
 
111
-    <SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
113
+   <SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
112 114
 
113 115
 Example if samltest.id is the IdP:
114 116
 
115 117
 .. code-block:: xml
116 118
 
117
-    <SSO entityID="https://samltest.id/saml/idp">
119
+   <SSO entityID="https://samltest.id/saml/idp">
118 120
 
119 121
 * Remove the discoveryURL lines unless you want to enable advanced IdP discovery.
120 122
 
@@ -123,13 +125,13 @@ Example if samltest.id is the IdP:
123 125
 
124 126
 .. code-block:: xml
125 127
 
126
-    <MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
128
+   <MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
127 129
 
128 130
 Example if samltest.id is the IdP:
129 131
 
130 132
 .. code-block:: xml
131 133
 
132
-    <MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
134
+   <MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
133 135
 
134 136
 You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_
135 137
 
@@ -138,143 +140,143 @@ to be used in a production environment):
138 140
 
139 141
 .. code-block:: xml
140 142
 
141
-    <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
142
-        xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
143
-        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
144
-        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
145
-        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
146
-        clockSkew="180">
147
-
148
-        <!--
149
-        By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
150
-        are used. See example-shibboleth2.xml for samples of explicitly configuring them.
151
-        -->
152
-
153
-        <!--
154
-        To customize behavior for specific resources on Apache, and to link vhosts or
155
-        resources to ApplicationOverride settings below, use web server options/commands.
156
-        See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
157
-
158
-        For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
159
-        file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
160
-        -->
161
-
162
-        <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
163
-        <ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
164
-
165
-            <!--
166
-            Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
167
-            You MUST supply an effectively unique handlerURL value for each of your applications.
168
-            The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
169
-            a relative value based on the virtual host. Using handlerSSL="true", the default, will force
170
-            the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
171
-            Note that while we default checkAddress to "false", this has a negative impact on the
172
-            security of your site. Stealing sessions via cookie theft is much easier with this disabled.
173
-            -->
174
-            <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
175
-                      checkAddress="false" handlerSSL="false" cookieProps="http">
176
-
177
-                <!--
178
-                Configures SSO for a default IdP. To allow for >1 IdP, remove
179
-                entityID property and adjust discoveryURL to point to discovery service.
180
-                (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
181
-                You can also override entityID on /Login query string, or in RequestMap/htaccess.
182
-                -->
183
-                <SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
184
-                  SAML2 SAML1
185
-                </SSO>
186
-
187
-                <!-- SAML and local-only logout. -->
188
-                <Logout>SAML2 Local</Logout>
189
-
190
-                <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
191
-                <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
192
-
193
-                <!-- Status reporting service. -->
194
-                <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
195
-
196
-                <!-- Session diagnostic service. -->
197
-                <Handler type="Session" Location="/Session" showAttributeValues="false"/>
198
-
199
-                <!-- JSON feed of discovery information. -->
200
-                <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
201
-            </Sessions>
202
-            <!--
203
-            Allows overriding of error template information/filenames. You can
204
-            also add attributes with values that can be plugged into the templates.
205
-            -->
206
-            <Errors supportContact="root@localhost"
207
-                helpLocation="/about.html"
208
-                styleSheet="/shibboleth-sp/main.css"/>
209
-
210
-            <!-- Example of remotely supplied batch of signed metadata. -->
211
-            <!--
212
-            <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
213
-                  backingFilePath="federation-metadata.xml" reloadInterval="7200">
214
-                <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
215
-                <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
216
-            </MetadataProvider>
217
-            -->
218
-
219
-            <!-- Example of locally maintained metadata. -->
220
-            <!--
221
-            <MetadataProvider type="XML" file="partner-metadata.xml"/>
222
-            -->
223
-            <MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
224
-
225
-            <!-- Map to extract attributes from SAML assertions. -->
226
-            <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
227
-
228
-            <!-- Use a SAML query if no attributes are supplied during SSO. -->
229
-            <AttributeResolver type="Query" subjectMatch="true"/>
230
-
231
-            <!-- Default filtering policy for recognized attributes, lets other data pass. -->
232
-            <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
233
-
234
-            <!-- Simple file-based resolver for using a single keypair. -->
235
-            <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
236
-
237
-            <!--
238
-            The default settings can be overridden by creating ApplicationOverride elements (see
239
-            the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
240
-            Resource requests are mapped by web server commands, or the RequestMapper, to an
241
-            applicationId setting.
242
-            Example of a second application (for a second vhost) that has a different entityID.
243
-            Resources on the vhost would map to an applicationId of "admin":
244
-            -->
245
-            <!--
246
-            <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
247
-            -->
248
-        </ApplicationDefaults>
249
-
250
-        <!-- Policies that determine how to process and authenticate runtime messages. -->
251
-        <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
252
-
253
-        <!-- Low-level configuration about protocols and bindings available for use. -->
254
-        <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
255
-
256
-    </SPConfig>
143
+   <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
144
+       xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
145
+       xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
146
+       xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
147
+       xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
148
+       clockSkew="180">
149
+
150
+       <!--
151
+       By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
152
+       are used. See example-shibboleth2.xml for samples of explicitly configuring them.
153
+       -->
154
+
155
+       <!--
156
+       To customize behavior for specific resources on Apache, and to link vhosts or
157
+       resources to ApplicationOverride settings below, use web server options/commands.
158
+       See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
159
+
160
+       For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
161
+       file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
162
+       -->
163
+
164
+       <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
165
+       <ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
166
+
167
+           <!--
168
+           Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
169
+           You MUST supply an effectively unique handlerURL value for each of your applications.
170
+           The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
171
+           a relative value based on the virtual host. Using handlerSSL="true", the default, will force
172
+           the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
173
+           Note that while we default checkAddress to "false", this has a negative impact on the
174
+           security of your site. Stealing sessions via cookie theft is much easier with this disabled.
175
+           -->
176
+           <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
177
+                     checkAddress="false" handlerSSL="false" cookieProps="http">
178
+
179
+               <!--
180
+               Configures SSO for a default IdP. To allow for >1 IdP, remove
181
+               entityID property and adjust discoveryURL to point to discovery service.
182
+               (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
183
+               You can also override entityID on /Login query string, or in RequestMap/htaccess.
184
+               -->
185
+               <SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
186
+                 SAML2 SAML1
187
+               </SSO>
188
+
189
+               <!-- SAML and local-only logout. -->
190
+               <Logout>SAML2 Local</Logout>
191
+
192
+               <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
193
+               <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
194
+
195
+               <!-- Status reporting service. -->
196
+               <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
197
+
198
+               <!-- Session diagnostic service. -->
199
+               <Handler type="Session" Location="/Session" showAttributeValues="false"/>
200
+
201
+               <!-- JSON feed of discovery information. -->
202
+               <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
203
+           </Sessions>
204
+           <!--
205
+           Allows overriding of error template information/filenames. You can
206
+           also add attributes with values that can be plugged into the templates.
207
+           -->
208
+           <Errors supportContact="root@localhost"
209
+               helpLocation="/about.html"
210
+               styleSheet="/shibboleth-sp/main.css"/>
211
+
212
+           <!-- Example of remotely supplied batch of signed metadata. -->
213
+           <!--
214
+           <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
215
+                 backingFilePath="federation-metadata.xml" reloadInterval="7200">
216
+               <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
217
+               <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
218
+           </MetadataProvider>
219
+           -->
220
+
221
+           <!-- Example of locally maintained metadata. -->
222
+           <!--
223
+           <MetadataProvider type="XML" file="partner-metadata.xml"/>
224
+           -->
225
+           <MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
226
+
227
+           <!-- Map to extract attributes from SAML assertions. -->
228
+           <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
229
+
230
+           <!-- Use a SAML query if no attributes are supplied during SSO. -->
231
+           <AttributeResolver type="Query" subjectMatch="true"/>
232
+
233
+           <!-- Default filtering policy for recognized attributes, lets other data pass. -->
234
+           <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
235
+
236
+           <!-- Simple file-based resolver for using a single keypair. -->
237
+           <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
238
+
239
+           <!--
240
+           The default settings can be overridden by creating ApplicationOverride elements (see
241
+           the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
242
+           Resource requests are mapped by web server commands, or the RequestMapper, to an
243
+           applicationId setting.
244
+           Example of a second application (for a second vhost) that has a different entityID.
245
+           Resources on the vhost would map to an applicationId of "admin":
246
+           -->
247
+           <!--
248
+           <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
249
+           -->
250
+       </ApplicationDefaults>
251
+
252
+       <!-- Policies that determine how to process and authenticate runtime messages. -->
253
+       <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
254
+
255
+       <!-- Low-level configuration about protocols and bindings available for use. -->
256
+       <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
257
+
258
+   </SPConfig>
257 259
 
258 260
 If keystone is your IdP, you will need to examine your attributes map file
259 261
 ``/etc/shibboleth/attribute-map.xml`` and add the following attributes:
260 262
 
261 263
 .. code-block:: xml
262 264
 
263
-    <Attribute name="openstack_user" id="openstack_user"/>
264
-    <Attribute name="openstack_roles" id="openstack_roles"/>
265
-    <Attribute name="openstack_project" id="openstack_project"/>
266
-    <Attribute name="openstack_user_domain" id="openstack_user_domain"/>
267
-    <Attribute name="openstack_project_domain" id="openstack_project_domain"/>
265
+   <Attribute name="openstack_user" id="openstack_user"/>
266
+   <Attribute name="openstack_roles" id="openstack_roles"/>
267
+   <Attribute name="openstack_project" id="openstack_project"/>
268
+   <Attribute name="openstack_user_domain" id="openstack_user_domain"/>
269
+   <Attribute name="openstack_project_domain" id="openstack_project_domain"/>
268 270
 
269 271
 For more information see the
270 272
 `attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_
271 273
 
272 274
 Once you are done, restart your Shibboleth daemon and apache:
273 275
 
274
-.. code-block:: bash
276
+.. code-block:: console
275 277
 
276
-    $ service shibd restart
277
-    $ service apache2 restart
278
+   # service shibd restart
279
+   # service apache2 restart
278 280
 
279 281
 Check ``/var/log/shibboleth/shibd_warn.log`` for any ERROR or CRIT notices and
280 282
 correct them.
@@ -282,9 +284,9 @@ correct them.
282 284
 Upload your Service Provider's metadata file to your Identity Provider. You can
283 285
 fetch it with:
284 286
 
285
-.. code-block:: bash
287
+.. code-block:: console
286 288
 
287
-    $ wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
289
+   # wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
288 290
 
289 291
 This step depends on your Identity Provider choice and is not covered here.
290 292
 If keystone is your Identity Provider you do not need to upload this file.

+ 94
- 94
doc/source/admin/federation/websso.rst View File

@@ -27,9 +27,9 @@ prevent man-in-the-middle (MITM) attacks.
27 27
 
28 28
 .. code-block:: ini
29 29
 
30
-  [federation]
31
-  trusted_dashboard = http://acme.horizon.com/auth/websso/
32
-  trusted_dashboard = http://beta.horizon.com/auth/websso/
30
+   [federation]
31
+   trusted_dashboard = http://acme.horizon.com/auth/websso/
32
+   trusted_dashboard = http://beta.horizon.com/auth/websso/
33 33
 
34 34
 2. Update httpd vhost file with websso information.
35 35
 
@@ -47,95 +47,95 @@ is configured in keystone.
47 47
 
48 48
 If `mod_shib` is used, then use the following as an example:
49 49
 
50
-.. code-block:: none
50
+.. code-block:: apache
51 51
 
52
-  <VirtualHost *:5000>
52
+   <VirtualHost *:5000>
53 53
 
54
-      ...
54
+       ...
55 55
 
56
-      <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
57
-        AuthType shibboleth
58
-        Require valid-user
59
-        ShibRequestSetting requireSession 1
60
-        ShibRequireSession On
61
-        ShibExportAssertion Off
62
-      </Location>
63
-      <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
64
-        AuthType shibboleth
65
-        Require valid-user
66
-      </Location>
67
-  </VirtualHost>
56
+       <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
57
+         AuthType shibboleth
58
+         Require valid-user
59
+         ShibRequestSetting requireSession 1
60
+         ShibRequireSession On
61
+         ShibExportAssertion Off
62
+       </Location>
63
+       <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
64
+         AuthType shibboleth
65
+         Require valid-user
66
+       </Location>
67
+   </VirtualHost>
68 68
 
69 69
 If `mod_auth_openidc` is used, then use the following as an example:
70 70
 
71
-.. code-block:: none
71
+.. code-block:: apache
72 72
 
73
-  <VirtualHost *:5000>
73
+   <VirtualHost *:5000>
74 74
 
75
-      OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
76
-      OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
75
+       OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
76
+       OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
77 77
 
78
-      ...
78
+       ...
79 79
 
80
-      <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
81
-        AuthType openid-connect
82
-        Require valid-user
83
-        ...
84
-      </Location>
85
-      <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
86
-        AuthType openid-connect
87
-        Require valid-user
88
-        ...
89
-      </Location>
90
-  </VirtualHost>
80
+       <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
81
+         AuthType openid-connect
82
+         Require valid-user
83
+         ...
84
+       </Location>
85
+       <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
86
+         AuthType openid-connect
87
+         Require valid-user
88
+         ...
89
+       </Location>
90
+   </VirtualHost>
91 91
 
92 92
 If `mod_auth_kerb` is used, then use the following as an example:
93 93
 
94
-.. code-block:: none
95
-
96
-  <VirtualHost *:5000>
97
-
98
-      ...
99
-
100
-      <Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
101
-        AuthType Kerberos
102
-        AuthName "Acme Corporation"
103
-        KrbMethodNegotiate on
104
-        KrbMethodK5Passwd off
105
-        Krb5Keytab /etc/apache2/http.keytab
106
-        ...
107
-      </Location>
108
-      <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
109
-        AuthType Kerberos
110
-        AuthName "Acme Corporation"
111
-        KrbMethodNegotiate on
112
-        KrbMethodK5Passwd off
113
-        Krb5Keytab /etc/apache2/http.keytab
114
-        ...
115
-      </Location>
116
-  </VirtualHost>
94
+.. code-block:: apache
95
+
96
+   <VirtualHost *:5000>
97
+
98
+       ...
99
+
100
+       <Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
101
+         AuthType Kerberos
102
+         AuthName "Acme Corporation"
103
+         KrbMethodNegotiate on
104
+         KrbMethodK5Passwd off
105
+         Krb5Keytab /etc/apache2/http.keytab
106
+         ...
107
+       </Location>
108
+       <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
109
+         AuthType Kerberos
110
+         AuthName "Acme Corporation"
111
+         KrbMethodNegotiate on
112
+         KrbMethodK5Passwd off
113
+         Krb5Keytab /etc/apache2/http.keytab
114
+         ...
115
+       </Location>
116
+   </VirtualHost>
117 117
 
118 118
 If `mod_auth_mellon` is used, then use the following as an example:
119 119
 
120
-.. code-block:: none
120
+.. code-block:: apache
121 121
 
122
-  <VirtualHost *:5000>
122
+   <VirtualHost *:5000>
123 123
 
124
-      ...
124
+       ...
125 125
 
126
-      <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
127
-        AuthType Mellon
128
-        MellonEnable auth
129
-        Require valid-user
130
-        ...
131
-      </Location>
132
-      <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
133
-        AuthType Mellon
134
-        MellonEnable auth
135
-        Require valid-user
136
-        ...
137
-      </Location>
138
-  </VirtualHost>
126
+       <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
127
+         AuthType Mellon
128
+         MellonEnable auth
129
+         Require valid-user
130
+         ...
131
+       </Location>
132
+       <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
133
+         AuthType Mellon
134
+         MellonEnable auth
135
+         Require valid-user
136
+         ...
137
+       </Location>
138
+   </VirtualHost>
139 139
 
140 140
 .. NOTE::
141 141
     If you are also using SSO via the API, don't forget to make the Location
@@ -155,17 +155,17 @@ It is recommended that this option be set on a per-protocol basis.
155 155
 
156 156
 .. code-block:: ini
157 157
 
158
-  [saml2]
159
-  remote_id_attribute = Shib-Identity-Provider
160
-  [openid]
161
-  remote_id_attribute = HTTP_OIDC_ISS
158
+   [saml2]
159
+   remote_id_attribute = Shib-Identity-Provider
160
+   [openid]
161
+   remote_id_attribute = HTTP_OIDC_ISS
162 162
 
163 163
 Alternatively, a generic option may be set at the `[federation]` level.
164 164
 
165 165
 .. code-block:: ini
166 166
 
167
-  [federation]
168
-  remote_id_attribute = HTTP_OIDC_ISS
167
+   [federation]
168
+   remote_id_attribute = HTTP_OIDC_ISS
169 169
 
170 170
 4. Copy the `sso_callback_template.html
171 171
 <https://git.openstack.org/cgit/openstack/keystone/plain/etc/sso_callback_template.html>`__
@@ -188,7 +188,7 @@ this will provide users with an updated login screen for horizon.
188 188
 
189 189
 .. code-block:: python
190 190
 
191
-  WEBSSO_ENABLED = True
191
+   WEBSSO_ENABLED = True
192 192
 
193 193
 2. (Optional) Create a list of authentication methods with the
194 194
    `WEBSSO_CHOICES` option.
@@ -202,13 +202,13 @@ identity backend.
202 202
 
203 203
 .. code-block:: python
204 204
 
205
-  WEBSSO_CHOICES = (
206
-        ("credentials", _("Keystone Credentials")),
207
-        ("openid", _("OpenID Connect")),
208
-        ("saml2", _("Security Assertion Markup Language")),
209
-        ("myidp_openid", "Acme Corporation - OpenID Connect"),
210
-        ("myidp_saml2", "Acme Corporation - SAML2")
211
-      )
205
+   WEBSSO_CHOICES = (
206
+       ("credentials", _("Keystone Credentials")),
207
+       ("openid", _("OpenID Connect")),
208
+       ("saml2", _("Security Assertion Markup Language")),
209
+       ("myidp_openid", "Acme Corporation - OpenID Connect"),
210
+       ("myidp_saml2", "Acme Corporation - SAML2")
211
+   )
212 212
 
213 213
 3. (Optional) Create a dictionary of specific identity provider and federation
214 214
    protocol combinations.
@@ -222,10 +222,10 @@ protocol endpoint.
222 222
 
223 223
 .. code-block:: python
224 224
 
225
-  WEBSSO_IDP_MAPPING = {
226
-        "myidp_openid": ("myidp", "openid"),
227
-        "myidp_saml2": ("myidp", "saml2")
228
-      }
225
+   WEBSSO_IDP_MAPPING = {
226
+       "myidp_openid": ("myidp", "openid"),
227
+       "myidp_saml2": ("myidp", "saml2")
228
+   }
229 229
 
230 230
 .. NOTE::
231 231
 
@@ -240,10 +240,10 @@ automatically set that choice to be highlighted by default.
240 240
 
241 241
 .. code-block:: python
242 242
 
243
-  WEBSSO_INITIAL_CHOICE = "credentials"
243
+   WEBSSO_INITIAL_CHOICE = "credentials"
244 244
 
245 245
 7. Restart your web server:
246 246
 
247
-.. code-block:: bash
247
+.. code-block:: console
248 248
 
249
-   $ sudo service apache2 restart
249
+   # service apache2 restart

Loading…
Cancel
Save