openstack
/
keystone
Code Issues Proposed changes

Fix nits in code blocks in federation guide 

Fix inconsistent indentation of code-blocks, ensure shell samples
correctly differentiate betweeen root-required commands and non-root
commands in accordance with the openstack-manuals recommendations[1],
and use proper markup for interactive shell examples.

[1] http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/common/conventions.rst

Partial-bug: #1793374

Change-Id: Ia9e5280d131e1aa50af41aff6155eb07954b7d15
This commit is contained in:
Colleen Murphy 2018-12-21 11:16:49 -08:00
parent 40e0f5d976
commit 9bc2b8875d
6 changed files with 870 additions and 868 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

246
doc/source/admin/federation/configure_federation.rst
View File

@ -100,10 +100,10 @@ Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
Names should be equal to protocol names added via Identity API v3. Here we use Names should be equal to protocol names added via Identity API v3. Here we use
examples ``saml2`` and ``openid``. examples ``saml2`` and ``openid``.
.. code-block:: bash .. code-block:: ini
[auth] [auth]
methods = external,password,token,saml2,openid methods = external,password,token,saml2,openid
Create keystone groups and assign roles Create keystone groups and assign roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -126,23 +126,23 @@ both of which are exposed to the CLI via `python-openstackclient
For example, create a new domain and project like this: For example, create a new domain and project like this:
.. code-block:: bash .. code-block:: console
$ openstack domain create federated_domain $ openstack domain create federated_domain
$ openstack project create federated_project --domain federated_domain $ openstack project create federated_project --domain federated_domain
And a new group like this: And a new group like this:
.. code-block:: bash .. code-block:: console
$ openstack group create federated_users $ openstack group create federated_users
Add the group to the domain and project: Add the group to the domain and project:
.. code-block:: bash .. code-block:: console
$ openstack role add --group federated_users --domain federated_domain Member $ openstack role add --group federated_users --domain federated_domain Member
$ openstack role add --group federated_users --project federated_project Member $ openstack role add --group federated_users --project federated_project Member
We'll later add a mapping that makes all federated users a part of this group We'll later add a mapping that makes all federated users a part of this group
and therefore members of the new domain. and therefore members of the new domain.
@ -166,9 +166,9 @@ Identity Provider
Create an Identity Provider object in keystone, which represents the Identity Create an Identity Provider object in keystone, which represents the Identity
Provider we will use to authenticate end users: Provider we will use to authenticate end users:
.. code-block:: bash .. code-block:: console
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp $ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
The value for the ``remote-id`` option is the unique identifier provided by the The value for the ``remote-id`` option is the unique identifier provided by the
IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
@ -224,70 +224,70 @@ Mapping objects can be used multiple times by different combinations of Identity
As a simple example, if keystone is your IdP, you can map a few known remote As a simple example, if keystone is your IdP, you can map a few known remote
users to the group you already created: users to the group you already created:
.. code-block:: bash .. code-block:: console
$ cat > rules.json <<EOF $ cat > rules.json <<EOF
[ [
{ {
"local": [ "local": [
{ {
"user": { "user": {
"name": "{0}" "name": "{0}"
}, },
"group": { "group": {
"domain": { "domain": {
"name": "Default" "name": "Default"
}, },
"name": "federated_users" "name": "federated_users"
} }
} }
], ],
"remote": [ "remote": [
{ {
"type": "openstack_user" "type": "openstack_user"
}, },
{ {
"type": "openstack_user", "type": "openstack_user",
"any_one_of": [ "any_one_of": [
"demo", "demo",
"alt_demo" "alt_demo"
] ]
} }
] ]
} }
] ]
EOF EOF
$ openstack mapping create --rules rules.json myidp_mapping $ openstack mapping create --rules rules.json myidp_mapping
As another example, if Shibboleth is your IdP, the remote section should use REMOTE_USER as the remote type: As another example, if Shibboleth is your IdP, the remote section should use REMOTE_USER as the remote type:
.. code-block:: bash .. code-block:: console
$ cat > rules.json <<EOF $ cat > rules.json <<EOF
[ [
{ {
"local": [ "local": [
{ {
"user": { "user": {
"name": "{0}" "name": "{0}"
}, },
"group": { "group": {
"domain": { "domain": {
"name": "Default" "name": "Default"
}, },
"name": "federated_users" "name": "federated_users"
} }
} }
], ],
"remote": [ "remote": [
{ {
"type": "REMOTE_USER" "type": "REMOTE_USER"
} }
] ]
} }
] ]
EOF EOF
$ openstack mapping create --rules rules.json myidp_mapping $ openstack mapping create --rules rules.json myidp_mapping
Read more about `mapping Read more about `mapping
<https://developer.openstack.org/api-ref/identity/v3-ext/#mappings>`__. <https://developer.openstack.org/api-ref/identity/v3-ext/#mappings>`__.
@ -301,9 +301,9 @@ request made by an IdP. An IdP may have multiple supported protocols.
You can create a protocol like this: You can create a protocol like this:
.. code-block:: bash .. code-block:: console
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp $ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
The name you give the protocol is not arbitrary. It must match the method name The name you give the protocol is not arbitrary. It must match the method name
you gave in the ``[auth]/methods`` config option. When authenticating it will be you gave in the ``[auth]/methods`` config option. When authenticating it will be
@ -356,9 +356,9 @@ considered protected by ``mod_shib`` and Apache, as such a request made
to the URL would be redirected to the Identity Provider, to start the to the URL would be redirected to the Identity Provider, to start the
SAML authentication procedure. SAML authentication procedure.
.. code-block:: bash .. code-block:: console
$ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth $ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
Determine accessible resources Determine accessible resources
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -376,21 +376,21 @@ Read more about `listing resources
Example Example
~~~~~~~ ~~~~~~~
.. code-block:: bash .. code-block:: console
$ export OS_IDENTITY_API_VERSION=3 $ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token> $ export OS_TOKEN=<unscoped token>
$ export OS_URL=https://sp.keystone.example.org/v3 $ export OS_URL=https://sp.keystone.example.org/v3
$ openstack federation project list $ openstack federation project list
or or
.. code-block:: bash .. code-block:: console
$ export OS_IDENTITY_API_VERSION=3 $ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token> $ export OS_TOKEN=<unscoped token>
$ export OS_URL=https://sp.keystone.example.org/v3 $ export OS_URL=https://sp.keystone.example.org/v3
$ openstack federation domain list $ openstack federation domain list
Get a scoped token Get a scoped token
~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
@ -406,15 +406,15 @@ Read more about `getting a scoped token
Example Example
~~~~~~~ ~~~~~~~
.. code-block:: bash .. code-block:: console
$ export OS_AUTH_TYPE=token $ export OS_AUTH_TYPE=token
$ export OS_IDENTITY_API_VERSION=3 $ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token> $ export OS_TOKEN=<unscoped token>
$ export OS_AUTH_URL=https://sp.keystone.example.org/v3 $ export OS_AUTH_URL=https://sp.keystone.example.org/v3
$ export OS_PROJECT_DOMAIN_NAME=federated_domain $ export OS_PROJECT_DOMAIN_NAME=federated_domain
$ export OS_PROJECT_NAME=federated_project $ export OS_PROJECT_NAME=federated_project
$ openstack token issue $ openstack token issue
-------------------------------------- --------------------------------------
Keystone as an Identity Provider (IdP) Keystone as an Identity Provider (IdP)
@ -433,9 +433,9 @@ Keystone as an Identity Provider (IdP)
Example for apt: Example for apt:
.. code-block:: bash .. code-block:: console
$ apt-get install xmlsec1 # apt-get install xmlsec1
.. note:: .. note::
@ -457,9 +457,9 @@ example:
.. code-block:: ini .. code-block:: ini
[saml] [saml]
idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
``idp_entity_id`` is the unique identifier for the Identity Provider. It ``idp_entity_id`` is the unique identifier for the Identity Provider. It
usually takes the form of a URI but it does not have to resolve to anything. usually takes the form of a URI but it does not have to resolve to anything.
@ -471,30 +471,30 @@ necessary:
.. code-block:: ini .. code-block:: ini
certfile=/etc/keystone/ssl/certs/signing_cert.pem certfile=/etc/keystone/ssl/certs/signing_cert.pem
keyfile=/etc/keystone/ssl/private/signing_key.pem keyfile=/etc/keystone/ssl/private/signing_key.pem
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
Though not necessary, the follow Organization configuration options should Though not necessary, the follow Organization configuration options should
also be setup. It is recommended that these values be URL safe. also be setup. It is recommended that these values be URL safe.
.. code-block:: ini .. code-block:: ini
idp_organization_name=example_company idp_organization_name=example_company
idp_organization_display_name=Example Corp. idp_organization_display_name=Example Corp.
idp_organization_url=example.com idp_organization_url=example.com
As with the Organization options, the Contact options, are not necessary, but As with the Organization options, the Contact options, are not necessary, but
it's advisable to set these values too. it's advisable to set these values too.
.. code-block:: ini .. code-block:: ini
idp_contact_company=example_company idp_contact_company=example_company
idp_contact_name=John idp_contact_name=John
idp_contact_surname=Smith idp_contact_surname=Smith
idp_contact_email=jsmith@example.com idp_contact_email=jsmith@example.com
idp_contact_telephone=555-555-5555 idp_contact_telephone=555-555-5555
idp_contact_type=technical idp_contact_type=technical
Generate Metadata Generate Metadata
----------------- -----------------
@ -514,9 +514,9 @@ vhost::
To create metadata for your keystone IdP, run the ``keystone-manage`` command To create metadata for your keystone IdP, run the ``keystone-manage`` command
and redirect the output to a file. For example: and redirect the output to a file. For example:
.. code-block:: bash .. code-block:: console
$ keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml # keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
.. NOTE:: .. NOTE::
The file location should match the value of the configuration option The file location should match the value of the configuration option
@ -535,11 +535,11 @@ signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
token for ``mysp`` once the SAML assertion is sent. The auth_url has the format token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
described in `Get an unscoped token`_. described in `Get an unscoped token`_.
.. code-block:: bash .. code-block:: console
$ openstack service provider create \ $ openstack service provider create \
--service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \ --service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
--auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp --auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
Testing it all out Testing it all out
------------------ ------------------
@ -551,13 +551,13 @@ scoped token from the SP.
ECP stands for Enhanced Client or Proxy, an extension from the SAML2 ECP stands for Enhanced Client or Proxy, an extension from the SAML2
protocol used in non-browser interfaces, like in the following example. protocol used in non-browser interfaces, like in the following example.
.. code-block:: bash .. code-block:: console
$ openstack \ $ openstack \
--os-service-provider mysp \ --os-service-provider mysp \
--os-remote-project-name federated_project \ --os-remote-project-name federated_project \
--os-remote-project-domain-name federated_domain \ --os-remote-project-domain-name federated_domain \
token issue token issue
.. include:: openidc.rst .. include:: openidc.rst

946
doc/source/admin/federation/mapping_combinations.rst
View File

File diff suppressed because it is too large Load Diff

52
doc/source/admin/federation/mellon.rst
View File

@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
You'll also need to install the Apache module `mod_auth_mellon You'll also need to install the Apache module `mod_auth_mellon
<https://github.com/UNINETT/mod_auth_mellon>`_. For example: <https://github.com/UNINETT/mod_auth_mellon>`_. For example:
.. code-block:: bash .. code-block:: console
$ apt-get install libapache2-mod-auth-mellon # apt-get install libapache2-mod-auth-mellon
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow: Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
@ -41,22 +41,22 @@ Add this *WSGIScriptAlias* directive to your public vhost configuration::
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
a *<Location>* directive for each identity provider a *<Location>* directive for each identity provider
.. code-block:: none .. code-block:: apache
<Location /v3> <Location /v3>
MellonEnable "info" MellonEnable "info"
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
MellonIdP "IDP" MellonIdP "IDP"
</Location> </Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth> <Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
AuthType "Mellon" AuthType "Mellon"
MellonEnable "auth" MellonEnable "auth"
</Location> </Location>
.. NOTE:: .. NOTE::
* See below for information about how to generate the values for the * See below for information about how to generate the values for the
@ -69,9 +69,9 @@ a *<Location>* directive for each identity provider
Enable the ``auth_mellon`` module, for example: Enable the ``auth_mellon`` module, for example:
.. code-block:: bash .. code-block:: console
$ a2enmod auth_mellon # a2enmod auth_mellon
Configuring the Mellon SP Metadata Configuring the Mellon SP Metadata
---------------------------------- ----------------------------------
@ -80,10 +80,10 @@ Mellon provides a script called `mellon_create_metadata.sh`_ which generates
the values for the config directives `MellonSPPrivateKeyFile`, the values for the config directives `MellonSPPrivateKeyFile`,
`MellonSPCertFile`, and `MellonSPMetadataFile`. It is run like this: `MellonSPCertFile`, and `MellonSPMetadataFile`. It is run like this:
.. code-block:: bash .. code-block:: console
$ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\ $ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\
https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
The first parameter is used as the entity ID, a unique identifier for this The first parameter is used as the entity ID, a unique identifier for this
Keystone SP. You do not have to use the URL, but it is an easy way to uniquely Keystone SP. You do not have to use the URL, but it is an easy way to uniquely
@ -107,15 +107,15 @@ can upload the file, or you may be required to submit the file using `wget` or
Fetch your Identity Provider's Metadata file and copy it to the path specified Fetch your Identity Provider's Metadata file and copy it to the path specified
by the `MellonIdPMetadataFile` directive above. For example: by the `MellonIdPMetadataFile` directive above. For example:
.. code-block:: bash .. code-block:: console
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \ $ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
https://myidp.example.com/idp/saml2/metadata https://myidp.example.com/idp/saml2/metadata
Once you are done, restart the Apache instance that is serving Keystone, for example: Once you are done, restart the Apache instance that is serving Keystone, for example:
.. code-block:: bash .. code-block:: console
$ service apache2 restart # service apache2 restart
.. _`mellon_create_metadata.sh`: https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh .. _`mellon_create_metadata.sh`: https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh

46
doc/source/admin/federation/openidc.rst
View File

@ -24,43 +24,43 @@ Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openi
To install `mod_auth_openidc` on Ubuntu, perform the following: To install `mod_auth_openidc` on Ubuntu, perform the following:
.. code-block:: bash .. code-block:: console
$ sudo apt-get install libapache2-mod-auth-openidc # apt-get install libapache2-mod-auth-openidc
This module is available for other distributions (Fedora/CentOS/Red Hat) from: This module is available for other distributions (Fedora/CentOS/Red Hat) from:
https://github.com/pingidentity/mod_auth_openidc/releases https://github.com/pingidentity/mod_auth_openidc/releases
Enable the auth_openidc module: Enable the auth_openidc module:
.. code-block:: bash .. code-block:: console
$ sudo a2enmod auth_openidc # a2enmod auth_openidc
In the keystone vhost file, locate the virtual host entry and add the following In the keystone vhost file, locate the virtual host entry and add the following
entries for OpenID Connect: entries for OpenID Connect:
.. code-block:: none .. code-block:: apache
<VirtualHost *:5000> <VirtualHost *:5000>
... ...
OIDCClaimPrefix "OIDC-" OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token" OIDCResponseType "id_token"
OIDCScope "openid email profile" OIDCScope "openid email profile"
OIDCProviderMetadataURL <url_of_provider_metadata> OIDCProviderMetadataURL <url_of_provider_metadata>
OIDCClientID <openid_client_id> OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret> OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase openstack OIDCCryptoPassphrase openstack
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth> <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
AuthType openid-connect AuthType openid-connect
Require valid-user Require valid-user
LogLevel debug LogLevel debug
</LocationMatch> </LocationMatch>
</VirtualHost> </VirtualHost>
Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
If not using `OIDCProviderMetadataURL`, then the following attributes If not using `OIDCProviderMetadataURL`, then the following attributes
@ -75,9 +75,9 @@ for more details
Once you are done, restart your Apache daemon: Once you are done, restart your Apache daemon:
.. code-block:: bash .. code-block:: console
$ sudo service apache2 restart # service apache2 restart
Tips Tips
---- ----

266
doc/source/admin/federation/shibboleth.rst
View File

@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for
example: example:
.. code-block:: bash .. code-block:: console
$ apt-get install libapache2-mod-shib2 # apt-get install libapache2-mod-shib2
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow: Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
@ -39,23 +39,25 @@ Add this *WSGIScriptAliasMatch* directive to your public vhost configuration::
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1 WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
Make sure the keystone Apache virtual host configuration contains a *<Location>* directive for the Make sure the keystone Apache virtual host configuration contains a *<Location>* directive for the
Shibboleth module and a *<Location>* directive for each identity provider:: Shibboleth module and a *<Location>* directive for each identity provider
<Location /Shibboleth.sso> .. code-block:: apache
SetHandler shib
</Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth> <Location /Shibboleth.sso>
ShibRequestSetting requireSession 1 SetHandler shib
AuthType shibboleth </Location>
ShibExportAssertion Off
Require valid-user
<IfVersion < 2.4> <Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
ShibRequireSession On ShibRequestSetting requireSession 1
ShibRequireAll On AuthType shibboleth
</IfVersion> ShibExportAssertion Off
</Location> Require valid-user
<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On
</IfVersion>
</Location>
.. NOTE:: .. NOTE::
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_ * ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
@ -68,15 +70,15 @@ Shibboleth module and a *<Location>* directive for each identity provider::
Enable the ``shib2`` module, for example: Enable the ``shib2`` module, for example:
.. code-block:: bash .. code-block:: console
$ a2enmod shib2 # a2enmod shib2
Restart Apache, for example: Restart Apache, for example:
.. code-block:: bash .. code-block:: console
$ service apache2 restart # service apache2 restart
Configuring shibboleth2.xml Configuring shibboleth2.xml
--------------------------- ---------------------------
@ -86,9 +88,9 @@ configure Shibboleth and upload your Metadata to the Identity Provider.
Create a new keypair for Shibboleth with: Create a new keypair for Shibboleth with:
.. code-block:: bash .. code-block:: console
$ shib-keygen -y <number of years> # shib-keygen -y <number of years>
The newly created key file will be stored under ``/etc/shibboleth/sp-key.pem``. The newly created key file will be stored under ``/etc/shibboleth/sp-key.pem``.
@ -101,20 +103,20 @@ file. You will want to change five settings:
.. code-block:: xml .. code-block:: xml
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth"> <ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
* Set the IdP entity ID. This value is determined by the IdP. For example, if * Set the IdP entity ID. This value is determined by the IdP. For example, if
Keystone is the IdP: Keystone is the IdP:
.. code-block:: xml .. code-block:: xml
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp"> <SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
Example if samltest.id is the IdP: Example if samltest.id is the IdP:
.. code-block:: xml .. code-block:: xml
<SSO entityID="https://samltest.id/saml/idp"> <SSO entityID="https://samltest.id/saml/idp">
* Remove the discoveryURL lines unless you want to enable advanced IdP discovery. * Remove the discoveryURL lines unless you want to enable advanced IdP discovery.
@ -123,13 +125,13 @@ Example if samltest.id is the IdP:
.. code-block:: xml .. code-block:: xml
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/> <MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
Example if samltest.id is the IdP: Example if samltest.id is the IdP:
.. code-block:: xml .. code-block:: xml
<MetadataProvider type="XML" uri="https://samltest.id/saml/idp" /> <MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_ You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_
@ -138,143 +140,143 @@ to be used in a production environment):
.. code-block:: xml .. code-block:: xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180"> clockSkew="180">
<!-- <!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them. are used. See example-shibboleth2.xml for samples of explicitly configuring them.
--> -->
<!-- <!--
To customize behavior for specific resources on Apache, and to link vhosts or To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands. resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic. file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
--> -->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. --> <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth"> <ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
<!-- <!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers. Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications. You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites. the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled. security of your site. Stealing sessions via cookie theft is much easier with this disabled.
--> -->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem" <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http"> checkAddress="false" handlerSSL="false" cookieProps="http">
<!-- <!--
Configures SSO for a default IdP. To allow for >1 IdP, remove Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service. entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.) (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess. You can also override entityID on /Login query string, or in RequestMap/htaccess.
--> -->
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp"> <SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
SAML2 SAML1 SAML2 SAML1
</SSO> </SSO>
<!-- SAML and local-only logout. --> <!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout> <Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. --> <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. --> <!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. --> <!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/> <Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. --> <!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions> </Sessions>
<!-- <!--
Allows overriding of error template information/filenames. You can Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates. also add attributes with values that can be plugged into the templates.
--> -->
<Errors supportContact="root@localhost" <Errors supportContact="root@localhost"
helpLocation="/about.html" helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/> styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. --> <!-- Example of remotely supplied batch of signed metadata. -->
<!-- <!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml" <MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200"> backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/> <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider> </MetadataProvider>
--> -->
<!-- Example of locally maintained metadata. --> <!-- Example of locally maintained metadata. -->
<!-- <!--
<MetadataProvider type="XML" file="partner-metadata.xml"/> <MetadataProvider type="XML" file="partner-metadata.xml"/>
--> -->
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/> <MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
<!-- Map to extract attributes from SAML assertions. --> <!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. --> <!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. --> <!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. --> <!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!-- <!--
The default settings can be overridden by creating ApplicationOverride elements (see The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic). the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting. applicationId setting.
Example of a second application (for a second vhost) that has a different entityID. Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin": Resources on the vhost would map to an applicationId of "admin":
--> -->
<!-- <!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/> <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
--> -->
</ApplicationDefaults> </ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. --> <!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. --> <!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig> </SPConfig>
If keystone is your IdP, you will need to examine your attributes map file If keystone is your IdP, you will need to examine your attributes map file
``/etc/shibboleth/attribute-map.xml`` and add the following attributes: ``/etc/shibboleth/attribute-map.xml`` and add the following attributes:
.. code-block:: xml .. code-block:: xml
<Attribute name="openstack_user" id="openstack_user"/> <Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/> <Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/> <Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/> <Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/> <Attribute name="openstack_project_domain" id="openstack_project_domain"/>
For more information see the For more information see the
`attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_ `attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_
Once you are done, restart your Shibboleth daemon and apache: Once you are done, restart your Shibboleth daemon and apache:
.. code-block:: bash .. code-block:: console
$ service shibd restart # service shibd restart
$ service apache2 restart # service apache2 restart
Check ``/var/log/shibboleth/shibd_warn.log`` for any ERROR or CRIT notices and Check ``/var/log/shibboleth/shibd_warn.log`` for any ERROR or CRIT notices and
correct them. correct them.
@ -282,9 +284,9 @@ correct them.
Upload your Service Provider's metadata file to your Identity Provider. You can Upload your Service Provider's metadata file to your Identity Provider. You can
fetch it with: fetch it with:
.. code-block:: bash .. code-block:: console
$ wget https://sp.keystone.example.org/Shibboleth.sso/Metadata # wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
This step depends on your Identity Provider choice and is not covered here. This step depends on your Identity Provider choice and is not covered here.
If keystone is your Identity Provider you do not need to upload this file. If keystone is your Identity Provider you do not need to upload this file.

182
doc/source/admin/federation/websso.rst
View File

@ -27,9 +27,9 @@ prevent man-in-the-middle (MITM) attacks.
.. code-block:: ini .. code-block:: ini
[federation] [federation]
trusted_dashboard = http://acme.horizon.com/auth/websso/ trusted_dashboard = http://acme.horizon.com/auth/websso/
trusted_dashboard = http://beta.horizon.com/auth/websso/ trusted_dashboard = http://beta.horizon.com/auth/websso/
2. Update httpd vhost file with websso information. 2. Update httpd vhost file with websso information.
@ -47,95 +47,95 @@ is configured in keystone.
If `mod_shib` is used, then use the following as an example: If `mod_shib` is used, then use the following as an example:
.. code-block:: none .. code-block:: apache
<VirtualHost *:5000> <VirtualHost *:5000>
... ...
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2"> <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType shibboleth AuthType shibboleth
Require valid-user Require valid-user
ShibRequestSetting requireSession 1 ShibRequestSetting requireSession 1
ShibRequireSession On ShibRequireSession On
ShibExportAssertion Off ShibExportAssertion Off
</Location> </Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso"> <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType shibboleth AuthType shibboleth
Require valid-user Require valid-user
</Location> </Location>
</VirtualHost> </VirtualHost>
If `mod_auth_openidc` is used, then use the following as an example: If `mod_auth_openidc` is used, then use the following as an example:
.. code-block:: none .. code-block:: apache
<VirtualHost *:5000> <VirtualHost *:5000>
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
... ...
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid"> <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
AuthType openid-connect AuthType openid-connect
Require valid-user Require valid-user
... ...
</Location> </Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso"> <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
AuthType openid-connect AuthType openid-connect
Require valid-user Require valid-user
... ...
</Location> </Location>
</VirtualHost> </VirtualHost>
If `mod_auth_kerb` is used, then use the following as an example: If `mod_auth_kerb` is used, then use the following as an example:
.. code-block:: none .. code-block:: apache
<VirtualHost *:5000> <VirtualHost *:5000>
... ...
<Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos"> <Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
AuthType Kerberos AuthType Kerberos
AuthName "Acme Corporation" AuthName "Acme Corporation"
KrbMethodNegotiate on KrbMethodNegotiate on
KrbMethodK5Passwd off KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/http.keytab Krb5Keytab /etc/apache2/http.keytab
... ...
</Location> </Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso"> <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
AuthType Kerberos AuthType Kerberos
AuthName "Acme Corporation" AuthName "Acme Corporation"
KrbMethodNegotiate on KrbMethodNegotiate on
KrbMethodK5Passwd off KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/http.keytab Krb5Keytab /etc/apache2/http.keytab
... ...
</Location> </Location>
</VirtualHost> </VirtualHost>
If `mod_auth_mellon` is used, then use the following as an example: If `mod_auth_mellon` is used, then use the following as an example:
.. code-block:: none .. code-block:: apache
<VirtualHost *:5000> <VirtualHost *:5000>
... ...
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2"> <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType Mellon AuthType Mellon
MellonEnable auth MellonEnable auth
Require valid-user Require valid-user
... ...
</Location> </Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso"> <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType Mellon AuthType Mellon
MellonEnable auth MellonEnable auth
Require valid-user Require valid-user
... ...
</Location> </Location>
</VirtualHost> </VirtualHost>
.. NOTE:: .. NOTE::
If you are also using SSO via the API, don't forget to make the Location If you are also using SSO via the API, don't forget to make the Location
@ -155,17 +155,17 @@ It is recommended that this option be set on a per-protocol basis.
.. code-block:: ini .. code-block:: ini
[saml2] [saml2]
remote_id_attribute = Shib-Identity-Provider remote_id_attribute = Shib-Identity-Provider
[openid] [openid]
remote_id_attribute = HTTP_OIDC_ISS remote_id_attribute = HTTP_OIDC_ISS
Alternatively, a generic option may be set at the `[federation]` level. Alternatively, a generic option may be set at the `[federation]` level.
.. code-block:: ini .. code-block:: ini
[federation] [federation]
remote_id_attribute = HTTP_OIDC_ISS remote_id_attribute = HTTP_OIDC_ISS
4. Copy the `sso_callback_template.html 4. Copy the `sso_callback_template.html
<https://git.openstack.org/cgit/openstack/keystone/plain/etc/sso_callback_template.html>`__ <https://git.openstack.org/cgit/openstack/keystone/plain/etc/sso_callback_template.html>`__
@ -188,7 +188,7 @@ this will provide users with an updated login screen for horizon.
.. code-block:: python .. code-block:: python
WEBSSO_ENABLED = True WEBSSO_ENABLED = True
2. (Optional) Create a list of authentication methods with the 2. (Optional) Create a list of authentication methods with the
`WEBSSO_CHOICES` option. `WEBSSO_CHOICES` option.
@ -202,13 +202,13 @@ identity backend.
.. code-block:: python .. code-block:: python
WEBSSO_CHOICES = ( WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")), ("credentials", _("Keystone Credentials")),
("openid", _("OpenID Connect")), ("openid", _("OpenID Connect")),
("saml2", _("Security Assertion Markup Language")), ("saml2", _("Security Assertion Markup Language")),
("myidp_openid", "Acme Corporation - OpenID Connect"), ("myidp_openid", "Acme Corporation - OpenID Connect"),
("myidp_saml2", "Acme Corporation - SAML2") ("myidp_saml2", "Acme Corporation - SAML2")
) )
3. (Optional) Create a dictionary of specific identity provider and federation 3. (Optional) Create a dictionary of specific identity provider and federation
protocol combinations. protocol combinations.
@ -222,10 +222,10 @@ protocol endpoint.
.. code-block:: python .. code-block:: python
WEBSSO_IDP_MAPPING = { WEBSSO_IDP_MAPPING = {
"myidp_openid": ("myidp", "openid"), "myidp_openid": ("myidp", "openid"),
"myidp_saml2": ("myidp", "saml2") "myidp_saml2": ("myidp", "saml2")
} }
.. NOTE:: .. NOTE::
@ -240,10 +240,10 @@ automatically set that choice to be highlighted by default.
.. code-block:: python .. code-block:: python
WEBSSO_INITIAL_CHOICE = "credentials" WEBSSO_INITIAL_CHOICE = "credentials"
7. Restart your web server: 7. Restart your web server:
.. code-block:: bash .. code-block:: console
$ sudo service apache2 restart # service apache2 restart