Fix nits in code blocks in federation guide
Fix inconsistent indentation of code-blocks, ensure shell samples correctly differentiate betweeen root-required commands and non-root commands in accordance with the openstack-manuals recommendations[1], and use proper markup for interactive shell examples. [1] http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/common/conventions.rst Partial-bug: #1793374 Change-Id: Ia9e5280d131e1aa50af41aff6155eb07954b7d15
This commit is contained in:
parent
40e0f5d976
commit
9bc2b8875d
|
@ -100,10 +100,10 @@ Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
|
||||||
Names should be equal to protocol names added via Identity API v3. Here we use
|
Names should be equal to protocol names added via Identity API v3. Here we use
|
||||||
examples ``saml2`` and ``openid``.
|
examples ``saml2`` and ``openid``.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: ini
|
||||||
|
|
||||||
[auth]
|
[auth]
|
||||||
methods = external,password,token,saml2,openid
|
methods = external,password,token,saml2,openid
|
||||||
|
|
||||||
Create keystone groups and assign roles
|
Create keystone groups and assign roles
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
@ -126,23 +126,23 @@ both of which are exposed to the CLI via `python-openstackclient
|
||||||
|
|
||||||
For example, create a new domain and project like this:
|
For example, create a new domain and project like this:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ openstack domain create federated_domain
|
$ openstack domain create federated_domain
|
||||||
$ openstack project create federated_project --domain federated_domain
|
$ openstack project create federated_project --domain federated_domain
|
||||||
|
|
||||||
And a new group like this:
|
And a new group like this:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ openstack group create federated_users
|
$ openstack group create federated_users
|
||||||
|
|
||||||
Add the group to the domain and project:
|
Add the group to the domain and project:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ openstack role add --group federated_users --domain federated_domain Member
|
$ openstack role add --group federated_users --domain federated_domain Member
|
||||||
$ openstack role add --group federated_users --project federated_project Member
|
$ openstack role add --group federated_users --project federated_project Member
|
||||||
|
|
||||||
We'll later add a mapping that makes all federated users a part of this group
|
We'll later add a mapping that makes all federated users a part of this group
|
||||||
and therefore members of the new domain.
|
and therefore members of the new domain.
|
||||||
|
@ -166,9 +166,9 @@ Identity Provider
|
||||||
Create an Identity Provider object in keystone, which represents the Identity
|
Create an Identity Provider object in keystone, which represents the Identity
|
||||||
Provider we will use to authenticate end users:
|
Provider we will use to authenticate end users:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
|
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
|
||||||
|
|
||||||
The value for the ``remote-id`` option is the unique identifier provided by the
|
The value for the ``remote-id`` option is the unique identifier provided by the
|
||||||
IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
|
IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
|
||||||
|
@ -224,70 +224,70 @@ Mapping objects can be used multiple times by different combinations of Identity
|
||||||
As a simple example, if keystone is your IdP, you can map a few known remote
|
As a simple example, if keystone is your IdP, you can map a few known remote
|
||||||
users to the group you already created:
|
users to the group you already created:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ cat > rules.json <<EOF
|
$ cat > rules.json <<EOF
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"local": [
|
"local": [
|
||||||
{
|
{
|
||||||
"user": {
|
"user": {
|
||||||
"name": "{0}"
|
"name": "{0}"
|
||||||
},
|
},
|
||||||
"group": {
|
"group": {
|
||||||
"domain": {
|
"domain": {
|
||||||
"name": "Default"
|
"name": "Default"
|
||||||
},
|
},
|
||||||
"name": "federated_users"
|
"name": "federated_users"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"remote": [
|
"remote": [
|
||||||
{
|
{
|
||||||
"type": "openstack_user"
|
"type": "openstack_user"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "openstack_user",
|
"type": "openstack_user",
|
||||||
"any_one_of": [
|
"any_one_of": [
|
||||||
"demo",
|
"demo",
|
||||||
"alt_demo"
|
"alt_demo"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
EOF
|
EOF
|
||||||
$ openstack mapping create --rules rules.json myidp_mapping
|
$ openstack mapping create --rules rules.json myidp_mapping
|
||||||
|
|
||||||
As another example, if Shibboleth is your IdP, the remote section should use REMOTE_USER as the remote type:
|
As another example, if Shibboleth is your IdP, the remote section should use REMOTE_USER as the remote type:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ cat > rules.json <<EOF
|
$ cat > rules.json <<EOF
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"local": [
|
"local": [
|
||||||
{
|
{
|
||||||
"user": {
|
"user": {
|
||||||
"name": "{0}"
|
"name": "{0}"
|
||||||
},
|
},
|
||||||
"group": {
|
"group": {
|
||||||
"domain": {
|
"domain": {
|
||||||
"name": "Default"
|
"name": "Default"
|
||||||
},
|
},
|
||||||
"name": "federated_users"
|
"name": "federated_users"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"remote": [
|
"remote": [
|
||||||
{
|
{
|
||||||
"type": "REMOTE_USER"
|
"type": "REMOTE_USER"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
EOF
|
EOF
|
||||||
$ openstack mapping create --rules rules.json myidp_mapping
|
$ openstack mapping create --rules rules.json myidp_mapping
|
||||||
|
|
||||||
Read more about `mapping
|
Read more about `mapping
|
||||||
<https://developer.openstack.org/api-ref/identity/v3-ext/#mappings>`__.
|
<https://developer.openstack.org/api-ref/identity/v3-ext/#mappings>`__.
|
||||||
|
@ -301,9 +301,9 @@ request made by an IdP. An IdP may have multiple supported protocols.
|
||||||
|
|
||||||
You can create a protocol like this:
|
You can create a protocol like this:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
|
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
|
||||||
|
|
||||||
The name you give the protocol is not arbitrary. It must match the method name
|
The name you give the protocol is not arbitrary. It must match the method name
|
||||||
you gave in the ``[auth]/methods`` config option. When authenticating it will be
|
you gave in the ``[auth]/methods`` config option. When authenticating it will be
|
||||||
|
@ -356,9 +356,9 @@ considered protected by ``mod_shib`` and Apache, as such a request made
|
||||||
to the URL would be redirected to the Identity Provider, to start the
|
to the URL would be redirected to the Identity Provider, to start the
|
||||||
SAML authentication procedure.
|
SAML authentication procedure.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
|
$ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
|
||||||
|
|
||||||
Determine accessible resources
|
Determine accessible resources
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
@ -376,21 +376,21 @@ Read more about `listing resources
|
||||||
Example
|
Example
|
||||||
~~~~~~~
|
~~~~~~~
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ export OS_IDENTITY_API_VERSION=3
|
$ export OS_IDENTITY_API_VERSION=3
|
||||||
$ export OS_TOKEN=<unscoped token>
|
$ export OS_TOKEN=<unscoped token>
|
||||||
$ export OS_URL=https://sp.keystone.example.org/v3
|
$ export OS_URL=https://sp.keystone.example.org/v3
|
||||||
$ openstack federation project list
|
$ openstack federation project list
|
||||||
|
|
||||||
or
|
or
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ export OS_IDENTITY_API_VERSION=3
|
$ export OS_IDENTITY_API_VERSION=3
|
||||||
$ export OS_TOKEN=<unscoped token>
|
$ export OS_TOKEN=<unscoped token>
|
||||||
$ export OS_URL=https://sp.keystone.example.org/v3
|
$ export OS_URL=https://sp.keystone.example.org/v3
|
||||||
$ openstack federation domain list
|
$ openstack federation domain list
|
||||||
|
|
||||||
Get a scoped token
|
Get a scoped token
|
||||||
~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~
|
||||||
|
@ -406,15 +406,15 @@ Read more about `getting a scoped token
|
||||||
Example
|
Example
|
||||||
~~~~~~~
|
~~~~~~~
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ export OS_AUTH_TYPE=token
|
$ export OS_AUTH_TYPE=token
|
||||||
$ export OS_IDENTITY_API_VERSION=3
|
$ export OS_IDENTITY_API_VERSION=3
|
||||||
$ export OS_TOKEN=<unscoped token>
|
$ export OS_TOKEN=<unscoped token>
|
||||||
$ export OS_AUTH_URL=https://sp.keystone.example.org/v3
|
$ export OS_AUTH_URL=https://sp.keystone.example.org/v3
|
||||||
$ export OS_PROJECT_DOMAIN_NAME=federated_domain
|
$ export OS_PROJECT_DOMAIN_NAME=federated_domain
|
||||||
$ export OS_PROJECT_NAME=federated_project
|
$ export OS_PROJECT_NAME=federated_project
|
||||||
$ openstack token issue
|
$ openstack token issue
|
||||||
|
|
||||||
--------------------------------------
|
--------------------------------------
|
||||||
Keystone as an Identity Provider (IdP)
|
Keystone as an Identity Provider (IdP)
|
||||||
|
@ -433,9 +433,9 @@ Keystone as an Identity Provider (IdP)
|
||||||
|
|
||||||
Example for apt:
|
Example for apt:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ apt-get install xmlsec1
|
# apt-get install xmlsec1
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -457,9 +457,9 @@ example:
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
[saml]
|
[saml]
|
||||||
idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
|
idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
|
||||||
idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
|
idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
|
||||||
|
|
||||||
``idp_entity_id`` is the unique identifier for the Identity Provider. It
|
``idp_entity_id`` is the unique identifier for the Identity Provider. It
|
||||||
usually takes the form of a URI but it does not have to resolve to anything.
|
usually takes the form of a URI but it does not have to resolve to anything.
|
||||||
|
@ -471,30 +471,30 @@ necessary:
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
certfile=/etc/keystone/ssl/certs/signing_cert.pem
|
certfile=/etc/keystone/ssl/certs/signing_cert.pem
|
||||||
keyfile=/etc/keystone/ssl/private/signing_key.pem
|
keyfile=/etc/keystone/ssl/private/signing_key.pem
|
||||||
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
|
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
|
||||||
|
|
||||||
Though not necessary, the follow Organization configuration options should
|
Though not necessary, the follow Organization configuration options should
|
||||||
also be setup. It is recommended that these values be URL safe.
|
also be setup. It is recommended that these values be URL safe.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
idp_organization_name=example_company
|
idp_organization_name=example_company
|
||||||
idp_organization_display_name=Example Corp.
|
idp_organization_display_name=Example Corp.
|
||||||
idp_organization_url=example.com
|
idp_organization_url=example.com
|
||||||
|
|
||||||
As with the Organization options, the Contact options, are not necessary, but
|
As with the Organization options, the Contact options, are not necessary, but
|
||||||
it's advisable to set these values too.
|
it's advisable to set these values too.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
idp_contact_company=example_company
|
idp_contact_company=example_company
|
||||||
idp_contact_name=John
|
idp_contact_name=John
|
||||||
idp_contact_surname=Smith
|
idp_contact_surname=Smith
|
||||||
idp_contact_email=jsmith@example.com
|
idp_contact_email=jsmith@example.com
|
||||||
idp_contact_telephone=555-555-5555
|
idp_contact_telephone=555-555-5555
|
||||||
idp_contact_type=technical
|
idp_contact_type=technical
|
||||||
|
|
||||||
Generate Metadata
|
Generate Metadata
|
||||||
-----------------
|
-----------------
|
||||||
|
@ -514,9 +514,9 @@ vhost::
|
||||||
To create metadata for your keystone IdP, run the ``keystone-manage`` command
|
To create metadata for your keystone IdP, run the ``keystone-manage`` command
|
||||||
and redirect the output to a file. For example:
|
and redirect the output to a file. For example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
|
# keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
|
||||||
|
|
||||||
.. NOTE::
|
.. NOTE::
|
||||||
The file location should match the value of the configuration option
|
The file location should match the value of the configuration option
|
||||||
|
@ -535,11 +535,11 @@ signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
|
||||||
token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
|
token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
|
||||||
described in `Get an unscoped token`_.
|
described in `Get an unscoped token`_.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ openstack service provider create \
|
$ openstack service provider create \
|
||||||
--service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
|
--service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
|
||||||
--auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
|
--auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
|
||||||
|
|
||||||
Testing it all out
|
Testing it all out
|
||||||
------------------
|
------------------
|
||||||
|
@ -551,13 +551,13 @@ scoped token from the SP.
|
||||||
ECP stands for Enhanced Client or Proxy, an extension from the SAML2
|
ECP stands for Enhanced Client or Proxy, an extension from the SAML2
|
||||||
protocol used in non-browser interfaces, like in the following example.
|
protocol used in non-browser interfaces, like in the following example.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ openstack \
|
$ openstack \
|
||||||
--os-service-provider mysp \
|
--os-service-provider mysp \
|
||||||
--os-remote-project-name federated_project \
|
--os-remote-project-name federated_project \
|
||||||
--os-remote-project-domain-name federated_domain \
|
--os-remote-project-domain-name federated_domain \
|
||||||
token issue
|
token issue
|
||||||
|
|
||||||
|
|
||||||
.. include:: openidc.rst
|
.. include:: openidc.rst
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
|
||||||
You'll also need to install the Apache module `mod_auth_mellon
|
You'll also need to install the Apache module `mod_auth_mellon
|
||||||
<https://github.com/UNINETT/mod_auth_mellon>`_. For example:
|
<https://github.com/UNINETT/mod_auth_mellon>`_. For example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ apt-get install libapache2-mod-auth-mellon
|
# apt-get install libapache2-mod-auth-mellon
|
||||||
|
|
||||||
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
|
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
|
||||||
|
|
||||||
|
@ -41,22 +41,22 @@ Add this *WSGIScriptAlias* directive to your public vhost configuration::
|
||||||
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
|
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
|
||||||
a *<Location>* directive for each identity provider
|
a *<Location>* directive for each identity provider
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: apache
|
||||||
|
|
||||||
<Location /v3>
|
<Location /v3>
|
||||||
MellonEnable "info"
|
MellonEnable "info"
|
||||||
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
|
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
|
||||||
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
|
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
|
||||||
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
|
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
|
||||||
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
|
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
|
||||||
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||||
MellonIdP "IDP"
|
MellonIdP "IDP"
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||||
AuthType "Mellon"
|
AuthType "Mellon"
|
||||||
MellonEnable "auth"
|
MellonEnable "auth"
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
.. NOTE::
|
.. NOTE::
|
||||||
* See below for information about how to generate the values for the
|
* See below for information about how to generate the values for the
|
||||||
|
@ -69,9 +69,9 @@ a *<Location>* directive for each identity provider
|
||||||
|
|
||||||
Enable the ``auth_mellon`` module, for example:
|
Enable the ``auth_mellon`` module, for example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ a2enmod auth_mellon
|
# a2enmod auth_mellon
|
||||||
|
|
||||||
Configuring the Mellon SP Metadata
|
Configuring the Mellon SP Metadata
|
||||||
----------------------------------
|
----------------------------------
|
||||||
|
@ -80,10 +80,10 @@ Mellon provides a script called `mellon_create_metadata.sh`_ which generates
|
||||||
the values for the config directives `MellonSPPrivateKeyFile`,
|
the values for the config directives `MellonSPPrivateKeyFile`,
|
||||||
`MellonSPCertFile`, and `MellonSPMetadataFile`. It is run like this:
|
`MellonSPCertFile`, and `MellonSPMetadataFile`. It is run like this:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\
|
$ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\
|
||||||
https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||||
|
|
||||||
The first parameter is used as the entity ID, a unique identifier for this
|
The first parameter is used as the entity ID, a unique identifier for this
|
||||||
Keystone SP. You do not have to use the URL, but it is an easy way to uniquely
|
Keystone SP. You do not have to use the URL, but it is an easy way to uniquely
|
||||||
|
@ -107,15 +107,15 @@ can upload the file, or you may be required to submit the file using `wget` or
|
||||||
Fetch your Identity Provider's Metadata file and copy it to the path specified
|
Fetch your Identity Provider's Metadata file and copy it to the path specified
|
||||||
by the `MellonIdPMetadataFile` directive above. For example:
|
by the `MellonIdPMetadataFile` directive above. For example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
|
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
|
||||||
https://myidp.example.com/idp/saml2/metadata
|
https://myidp.example.com/idp/saml2/metadata
|
||||||
|
|
||||||
Once you are done, restart the Apache instance that is serving Keystone, for example:
|
Once you are done, restart the Apache instance that is serving Keystone, for example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ service apache2 restart
|
# service apache2 restart
|
||||||
|
|
||||||
.. _`mellon_create_metadata.sh`: https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh
|
.. _`mellon_create_metadata.sh`: https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh
|
||||||
|
|
|
@ -24,43 +24,43 @@ Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openi
|
||||||
|
|
||||||
To install `mod_auth_openidc` on Ubuntu, perform the following:
|
To install `mod_auth_openidc` on Ubuntu, perform the following:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ sudo apt-get install libapache2-mod-auth-openidc
|
# apt-get install libapache2-mod-auth-openidc
|
||||||
|
|
||||||
This module is available for other distributions (Fedora/CentOS/Red Hat) from:
|
This module is available for other distributions (Fedora/CentOS/Red Hat) from:
|
||||||
https://github.com/pingidentity/mod_auth_openidc/releases
|
https://github.com/pingidentity/mod_auth_openidc/releases
|
||||||
|
|
||||||
Enable the auth_openidc module:
|
Enable the auth_openidc module:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ sudo a2enmod auth_openidc
|
# a2enmod auth_openidc
|
||||||
|
|
||||||
In the keystone vhost file, locate the virtual host entry and add the following
|
In the keystone vhost file, locate the virtual host entry and add the following
|
||||||
entries for OpenID Connect:
|
entries for OpenID Connect:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: apache
|
||||||
|
|
||||||
<VirtualHost *:5000>
|
<VirtualHost *:5000>
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|
||||||
OIDCClaimPrefix "OIDC-"
|
OIDCClaimPrefix "OIDC-"
|
||||||
OIDCResponseType "id_token"
|
OIDCResponseType "id_token"
|
||||||
OIDCScope "openid email profile"
|
OIDCScope "openid email profile"
|
||||||
OIDCProviderMetadataURL <url_of_provider_metadata>
|
OIDCProviderMetadataURL <url_of_provider_metadata>
|
||||||
OIDCClientID <openid_client_id>
|
OIDCClientID <openid_client_id>
|
||||||
OIDCClientSecret <openid_client_secret>
|
OIDCClientSecret <openid_client_secret>
|
||||||
OIDCCryptoPassphrase openstack
|
OIDCCryptoPassphrase openstack
|
||||||
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
|
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
|
||||||
|
|
||||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
|
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
|
||||||
AuthType openid-connect
|
AuthType openid-connect
|
||||||
Require valid-user
|
Require valid-user
|
||||||
LogLevel debug
|
LogLevel debug
|
||||||
</LocationMatch>
|
</LocationMatch>
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
|
Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
|
||||||
If not using `OIDCProviderMetadataURL`, then the following attributes
|
If not using `OIDCProviderMetadataURL`, then the following attributes
|
||||||
|
@ -75,9 +75,9 @@ for more details
|
||||||
|
|
||||||
Once you are done, restart your Apache daemon:
|
Once you are done, restart your Apache daemon:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ sudo service apache2 restart
|
# service apache2 restart
|
||||||
|
|
||||||
Tips
|
Tips
|
||||||
----
|
----
|
||||||
|
|
|
@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
|
||||||
You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for
|
You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for
|
||||||
example:
|
example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ apt-get install libapache2-mod-shib2
|
# apt-get install libapache2-mod-shib2
|
||||||
|
|
||||||
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
|
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
|
||||||
|
|
||||||
|
@ -39,23 +39,25 @@ Add this *WSGIScriptAliasMatch* directive to your public vhost configuration::
|
||||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
|
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
|
||||||
|
|
||||||
Make sure the keystone Apache virtual host configuration contains a *<Location>* directive for the
|
Make sure the keystone Apache virtual host configuration contains a *<Location>* directive for the
|
||||||
Shibboleth module and a *<Location>* directive for each identity provider::
|
Shibboleth module and a *<Location>* directive for each identity provider
|
||||||
|
|
||||||
<Location /Shibboleth.sso>
|
.. code-block:: apache
|
||||||
SetHandler shib
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
<Location /Shibboleth.sso>
|
||||||
ShibRequestSetting requireSession 1
|
SetHandler shib
|
||||||
AuthType shibboleth
|
</Location>
|
||||||
ShibExportAssertion Off
|
|
||||||
Require valid-user
|
|
||||||
|
|
||||||
<IfVersion < 2.4>
|
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||||
ShibRequireSession On
|
ShibRequestSetting requireSession 1
|
||||||
ShibRequireAll On
|
AuthType shibboleth
|
||||||
</IfVersion>
|
ShibExportAssertion Off
|
||||||
</Location>
|
Require valid-user
|
||||||
|
|
||||||
|
<IfVersion < 2.4>
|
||||||
|
ShibRequireSession On
|
||||||
|
ShibRequireAll On
|
||||||
|
</IfVersion>
|
||||||
|
</Location>
|
||||||
|
|
||||||
.. NOTE::
|
.. NOTE::
|
||||||
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
|
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
|
||||||
|
@ -68,15 +70,15 @@ Shibboleth module and a *<Location>* directive for each identity provider::
|
||||||
|
|
||||||
Enable the ``shib2`` module, for example:
|
Enable the ``shib2`` module, for example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ a2enmod shib2
|
# a2enmod shib2
|
||||||
|
|
||||||
Restart Apache, for example:
|
Restart Apache, for example:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ service apache2 restart
|
# service apache2 restart
|
||||||
|
|
||||||
Configuring shibboleth2.xml
|
Configuring shibboleth2.xml
|
||||||
---------------------------
|
---------------------------
|
||||||
|
@ -86,9 +88,9 @@ configure Shibboleth and upload your Metadata to the Identity Provider.
|
||||||
|
|
||||||
Create a new keypair for Shibboleth with:
|
Create a new keypair for Shibboleth with:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ shib-keygen -y <number of years>
|
# shib-keygen -y <number of years>
|
||||||
|
|
||||||
The newly created key file will be stored under ``/etc/shibboleth/sp-key.pem``.
|
The newly created key file will be stored under ``/etc/shibboleth/sp-key.pem``.
|
||||||
|
|
||||||
|
@ -101,20 +103,20 @@ file. You will want to change five settings:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
||||||
|
|
||||||
* Set the IdP entity ID. This value is determined by the IdP. For example, if
|
* Set the IdP entity ID. This value is determined by the IdP. For example, if
|
||||||
Keystone is the IdP:
|
Keystone is the IdP:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
||||||
|
|
||||||
Example if samltest.id is the IdP:
|
Example if samltest.id is the IdP:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<SSO entityID="https://samltest.id/saml/idp">
|
<SSO entityID="https://samltest.id/saml/idp">
|
||||||
|
|
||||||
* Remove the discoveryURL lines unless you want to enable advanced IdP discovery.
|
* Remove the discoveryURL lines unless you want to enable advanced IdP discovery.
|
||||||
|
|
||||||
|
@ -123,13 +125,13 @@ Example if samltest.id is the IdP:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
||||||
|
|
||||||
Example if samltest.id is the IdP:
|
Example if samltest.id is the IdP:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
|
<MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
|
||||||
|
|
||||||
You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_
|
You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_
|
||||||
|
|
||||||
|
@ -138,143 +140,143 @@ to be used in a production environment):
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
||||||
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
||||||
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||||
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||||
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||||
clockSkew="180">
|
clockSkew="180">
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
|
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
|
||||||
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
|
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
To customize behavior for specific resources on Apache, and to link vhosts or
|
To customize behavior for specific resources on Apache, and to link vhosts or
|
||||||
resources to ApplicationOverride settings below, use web server options/commands.
|
resources to ApplicationOverride settings below, use web server options/commands.
|
||||||
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
|
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
|
||||||
|
|
||||||
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
|
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
|
||||||
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
|
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
|
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
|
||||||
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
||||||
You MUST supply an effectively unique handlerURL value for each of your applications.
|
You MUST supply an effectively unique handlerURL value for each of your applications.
|
||||||
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
|
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
|
||||||
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
|
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
|
||||||
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
|
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
|
||||||
Note that while we default checkAddress to "false", this has a negative impact on the
|
Note that while we default checkAddress to "false", this has a negative impact on the
|
||||||
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
|
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
|
||||||
-->
|
-->
|
||||||
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
|
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
|
||||||
checkAddress="false" handlerSSL="false" cookieProps="http">
|
checkAddress="false" handlerSSL="false" cookieProps="http">
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
Configures SSO for a default IdP. To allow for >1 IdP, remove
|
Configures SSO for a default IdP. To allow for >1 IdP, remove
|
||||||
entityID property and adjust discoveryURL to point to discovery service.
|
entityID property and adjust discoveryURL to point to discovery service.
|
||||||
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
|
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
|
||||||
You can also override entityID on /Login query string, or in RequestMap/htaccess.
|
You can also override entityID on /Login query string, or in RequestMap/htaccess.
|
||||||
-->
|
-->
|
||||||
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
||||||
SAML2 SAML1
|
SAML2 SAML1
|
||||||
</SSO>
|
</SSO>
|
||||||
|
|
||||||
<!-- SAML and local-only logout. -->
|
<!-- SAML and local-only logout. -->
|
||||||
<Logout>SAML2 Local</Logout>
|
<Logout>SAML2 Local</Logout>
|
||||||
|
|
||||||
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
||||||
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
||||||
|
|
||||||
<!-- Status reporting service. -->
|
<!-- Status reporting service. -->
|
||||||
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
||||||
|
|
||||||
<!-- Session diagnostic service. -->
|
<!-- Session diagnostic service. -->
|
||||||
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
||||||
|
|
||||||
<!-- JSON feed of discovery information. -->
|
<!-- JSON feed of discovery information. -->
|
||||||
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
||||||
</Sessions>
|
</Sessions>
|
||||||
<!--
|
<!--
|
||||||
Allows overriding of error template information/filenames. You can
|
Allows overriding of error template information/filenames. You can
|
||||||
also add attributes with values that can be plugged into the templates.
|
also add attributes with values that can be plugged into the templates.
|
||||||
-->
|
-->
|
||||||
<Errors supportContact="root@localhost"
|
<Errors supportContact="root@localhost"
|
||||||
helpLocation="/about.html"
|
helpLocation="/about.html"
|
||||||
styleSheet="/shibboleth-sp/main.css"/>
|
styleSheet="/shibboleth-sp/main.css"/>
|
||||||
|
|
||||||
<!-- Example of remotely supplied batch of signed metadata. -->
|
<!-- Example of remotely supplied batch of signed metadata. -->
|
||||||
<!--
|
<!--
|
||||||
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
|
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
|
||||||
backingFilePath="federation-metadata.xml" reloadInterval="7200">
|
backingFilePath="federation-metadata.xml" reloadInterval="7200">
|
||||||
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
||||||
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
|
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
|
||||||
</MetadataProvider>
|
</MetadataProvider>
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<!-- Example of locally maintained metadata. -->
|
<!-- Example of locally maintained metadata. -->
|
||||||
<!--
|
<!--
|
||||||
<MetadataProvider type="XML" file="partner-metadata.xml"/>
|
<MetadataProvider type="XML" file="partner-metadata.xml"/>
|
||||||
-->
|
-->
|
||||||
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
||||||
|
|
||||||
<!-- Map to extract attributes from SAML assertions. -->
|
<!-- Map to extract attributes from SAML assertions. -->
|
||||||
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
||||||
|
|
||||||
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
||||||
<AttributeResolver type="Query" subjectMatch="true"/>
|
<AttributeResolver type="Query" subjectMatch="true"/>
|
||||||
|
|
||||||
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
||||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
||||||
|
|
||||||
<!-- Simple file-based resolver for using a single keypair. -->
|
<!-- Simple file-based resolver for using a single keypair. -->
|
||||||
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
|
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
The default settings can be overridden by creating ApplicationOverride elements (see
|
The default settings can be overridden by creating ApplicationOverride elements (see
|
||||||
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
|
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
|
||||||
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
||||||
applicationId setting.
|
applicationId setting.
|
||||||
Example of a second application (for a second vhost) that has a different entityID.
|
Example of a second application (for a second vhost) that has a different entityID.
|
||||||
Resources on the vhost would map to an applicationId of "admin":
|
Resources on the vhost would map to an applicationId of "admin":
|
||||||
-->
|
-->
|
||||||
<!--
|
<!--
|
||||||
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
||||||
-->
|
-->
|
||||||
</ApplicationDefaults>
|
</ApplicationDefaults>
|
||||||
|
|
||||||
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
||||||
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
||||||
|
|
||||||
<!-- Low-level configuration about protocols and bindings available for use. -->
|
<!-- Low-level configuration about protocols and bindings available for use. -->
|
||||||
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
||||||
|
|
||||||
</SPConfig>
|
</SPConfig>
|
||||||
|
|
||||||
If keystone is your IdP, you will need to examine your attributes map file
|
If keystone is your IdP, you will need to examine your attributes map file
|
||||||
``/etc/shibboleth/attribute-map.xml`` and add the following attributes:
|
``/etc/shibboleth/attribute-map.xml`` and add the following attributes:
|
||||||
|
|
||||||
.. code-block:: xml
|
.. code-block:: xml
|
||||||
|
|
||||||
<Attribute name="openstack_user" id="openstack_user"/>
|
<Attribute name="openstack_user" id="openstack_user"/>
|
||||||
<Attribute name="openstack_roles" id="openstack_roles"/>
|
<Attribute name="openstack_roles" id="openstack_roles"/>
|
||||||
<Attribute name="openstack_project" id="openstack_project"/>
|
<Attribute name="openstack_project" id="openstack_project"/>
|
||||||
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
|
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
|
||||||
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
|
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
|
||||||
|
|
||||||
For more information see the
|
For more information see the
|
||||||
`attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_
|
`attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_
|
||||||
|
|
||||||
Once you are done, restart your Shibboleth daemon and apache:
|
Once you are done, restart your Shibboleth daemon and apache:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ service shibd restart
|
# service shibd restart
|
||||||
$ service apache2 restart
|
# service apache2 restart
|
||||||
|
|
||||||
Check ``/var/log/shibboleth/shibd_warn.log`` for any ERROR or CRIT notices and
|
Check ``/var/log/shibboleth/shibd_warn.log`` for any ERROR or CRIT notices and
|
||||||
correct them.
|
correct them.
|
||||||
|
@ -282,9 +284,9 @@ correct them.
|
||||||
Upload your Service Provider's metadata file to your Identity Provider. You can
|
Upload your Service Provider's metadata file to your Identity Provider. You can
|
||||||
fetch it with:
|
fetch it with:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
|
# wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
|
||||||
|
|
||||||
This step depends on your Identity Provider choice and is not covered here.
|
This step depends on your Identity Provider choice and is not covered here.
|
||||||
If keystone is your Identity Provider you do not need to upload this file.
|
If keystone is your Identity Provider you do not need to upload this file.
|
||||||
|
|
|
@ -27,9 +27,9 @@ prevent man-in-the-middle (MITM) attacks.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
[federation]
|
[federation]
|
||||||
trusted_dashboard = http://acme.horizon.com/auth/websso/
|
trusted_dashboard = http://acme.horizon.com/auth/websso/
|
||||||
trusted_dashboard = http://beta.horizon.com/auth/websso/
|
trusted_dashboard = http://beta.horizon.com/auth/websso/
|
||||||
|
|
||||||
2. Update httpd vhost file with websso information.
|
2. Update httpd vhost file with websso information.
|
||||||
|
|
||||||
|
@ -47,95 +47,95 @@ is configured in keystone.
|
||||||
|
|
||||||
If `mod_shib` is used, then use the following as an example:
|
If `mod_shib` is used, then use the following as an example:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: apache
|
||||||
|
|
||||||
<VirtualHost *:5000>
|
<VirtualHost *:5000>
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||||
AuthType shibboleth
|
AuthType shibboleth
|
||||||
Require valid-user
|
Require valid-user
|
||||||
ShibRequestSetting requireSession 1
|
ShibRequestSetting requireSession 1
|
||||||
ShibRequireSession On
|
ShibRequireSession On
|
||||||
ShibExportAssertion Off
|
ShibExportAssertion Off
|
||||||
</Location>
|
</Location>
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||||
AuthType shibboleth
|
AuthType shibboleth
|
||||||
Require valid-user
|
Require valid-user
|
||||||
</Location>
|
</Location>
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
If `mod_auth_openidc` is used, then use the following as an example:
|
If `mod_auth_openidc` is used, then use the following as an example:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: apache
|
||||||
|
|
||||||
<VirtualHost *:5000>
|
<VirtualHost *:5000>
|
||||||
|
|
||||||
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
|
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
|
||||||
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
|
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
|
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
|
||||||
AuthType openid-connect
|
AuthType openid-connect
|
||||||
Require valid-user
|
Require valid-user
|
||||||
...
|
...
|
||||||
</Location>
|
</Location>
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
|
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
|
||||||
AuthType openid-connect
|
AuthType openid-connect
|
||||||
Require valid-user
|
Require valid-user
|
||||||
...
|
...
|
||||||
</Location>
|
</Location>
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
If `mod_auth_kerb` is used, then use the following as an example:
|
If `mod_auth_kerb` is used, then use the following as an example:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: apache
|
||||||
|
|
||||||
<VirtualHost *:5000>
|
<VirtualHost *:5000>
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
|
<Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
|
||||||
AuthType Kerberos
|
AuthType Kerberos
|
||||||
AuthName "Acme Corporation"
|
AuthName "Acme Corporation"
|
||||||
KrbMethodNegotiate on
|
KrbMethodNegotiate on
|
||||||
KrbMethodK5Passwd off
|
KrbMethodK5Passwd off
|
||||||
Krb5Keytab /etc/apache2/http.keytab
|
Krb5Keytab /etc/apache2/http.keytab
|
||||||
...
|
...
|
||||||
</Location>
|
</Location>
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
|
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
|
||||||
AuthType Kerberos
|
AuthType Kerberos
|
||||||
AuthName "Acme Corporation"
|
AuthName "Acme Corporation"
|
||||||
KrbMethodNegotiate on
|
KrbMethodNegotiate on
|
||||||
KrbMethodK5Passwd off
|
KrbMethodK5Passwd off
|
||||||
Krb5Keytab /etc/apache2/http.keytab
|
Krb5Keytab /etc/apache2/http.keytab
|
||||||
...
|
...
|
||||||
</Location>
|
</Location>
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
If `mod_auth_mellon` is used, then use the following as an example:
|
If `mod_auth_mellon` is used, then use the following as an example:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: apache
|
||||||
|
|
||||||
<VirtualHost *:5000>
|
<VirtualHost *:5000>
|
||||||
|
|
||||||
...
|
...
|
||||||
|
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||||
AuthType Mellon
|
AuthType Mellon
|
||||||
MellonEnable auth
|
MellonEnable auth
|
||||||
Require valid-user
|
Require valid-user
|
||||||
...
|
...
|
||||||
</Location>
|
</Location>
|
||||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||||
AuthType Mellon
|
AuthType Mellon
|
||||||
MellonEnable auth
|
MellonEnable auth
|
||||||
Require valid-user
|
Require valid-user
|
||||||
...
|
...
|
||||||
</Location>
|
</Location>
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
.. NOTE::
|
.. NOTE::
|
||||||
If you are also using SSO via the API, don't forget to make the Location
|
If you are also using SSO via the API, don't forget to make the Location
|
||||||
|
@ -155,17 +155,17 @@ It is recommended that this option be set on a per-protocol basis.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
[saml2]
|
[saml2]
|
||||||
remote_id_attribute = Shib-Identity-Provider
|
remote_id_attribute = Shib-Identity-Provider
|
||||||
[openid]
|
[openid]
|
||||||
remote_id_attribute = HTTP_OIDC_ISS
|
remote_id_attribute = HTTP_OIDC_ISS
|
||||||
|
|
||||||
Alternatively, a generic option may be set at the `[federation]` level.
|
Alternatively, a generic option may be set at the `[federation]` level.
|
||||||
|
|
||||||
.. code-block:: ini
|
.. code-block:: ini
|
||||||
|
|
||||||
[federation]
|
[federation]
|
||||||
remote_id_attribute = HTTP_OIDC_ISS
|
remote_id_attribute = HTTP_OIDC_ISS
|
||||||
|
|
||||||
4. Copy the `sso_callback_template.html
|
4. Copy the `sso_callback_template.html
|
||||||
<https://git.openstack.org/cgit/openstack/keystone/plain/etc/sso_callback_template.html>`__
|
<https://git.openstack.org/cgit/openstack/keystone/plain/etc/sso_callback_template.html>`__
|
||||||
|
@ -188,7 +188,7 @@ this will provide users with an updated login screen for horizon.
|
||||||
|
|
||||||
.. code-block:: python
|
.. code-block:: python
|
||||||
|
|
||||||
WEBSSO_ENABLED = True
|
WEBSSO_ENABLED = True
|
||||||
|
|
||||||
2. (Optional) Create a list of authentication methods with the
|
2. (Optional) Create a list of authentication methods with the
|
||||||
`WEBSSO_CHOICES` option.
|
`WEBSSO_CHOICES` option.
|
||||||
|
@ -202,13 +202,13 @@ identity backend.
|
||||||
|
|
||||||
.. code-block:: python
|
.. code-block:: python
|
||||||
|
|
||||||
WEBSSO_CHOICES = (
|
WEBSSO_CHOICES = (
|
||||||
("credentials", _("Keystone Credentials")),
|
("credentials", _("Keystone Credentials")),
|
||||||
("openid", _("OpenID Connect")),
|
("openid", _("OpenID Connect")),
|
||||||
("saml2", _("Security Assertion Markup Language")),
|
("saml2", _("Security Assertion Markup Language")),
|
||||||
("myidp_openid", "Acme Corporation - OpenID Connect"),
|
("myidp_openid", "Acme Corporation - OpenID Connect"),
|
||||||
("myidp_saml2", "Acme Corporation - SAML2")
|
("myidp_saml2", "Acme Corporation - SAML2")
|
||||||
)
|
)
|
||||||
|
|
||||||
3. (Optional) Create a dictionary of specific identity provider and federation
|
3. (Optional) Create a dictionary of specific identity provider and federation
|
||||||
protocol combinations.
|
protocol combinations.
|
||||||
|
@ -222,10 +222,10 @@ protocol endpoint.
|
||||||
|
|
||||||
.. code-block:: python
|
.. code-block:: python
|
||||||
|
|
||||||
WEBSSO_IDP_MAPPING = {
|
WEBSSO_IDP_MAPPING = {
|
||||||
"myidp_openid": ("myidp", "openid"),
|
"myidp_openid": ("myidp", "openid"),
|
||||||
"myidp_saml2": ("myidp", "saml2")
|
"myidp_saml2": ("myidp", "saml2")
|
||||||
}
|
}
|
||||||
|
|
||||||
.. NOTE::
|
.. NOTE::
|
||||||
|
|
||||||
|
@ -240,10 +240,10 @@ automatically set that choice to be highlighted by default.
|
||||||
|
|
||||||
.. code-block:: python
|
.. code-block:: python
|
||||||
|
|
||||||
WEBSSO_INITIAL_CHOICE = "credentials"
|
WEBSSO_INITIAL_CHOICE = "credentials"
|
||||||
|
|
||||||
7. Restart your web server:
|
7. Restart your web server:
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: console
|
||||||
|
|
||||||
$ sudo service apache2 restart
|
# service apache2 restart
|
||||||
|
|
Loading…
Reference in New Issue