Browse Source

Update federation SP prerequisites section

Remove outdated information, update version information and expand on
preliminary information that will be needed throughout the rest of the
guide.

Partial-bug: #1793374

Change-Id: I0e5c4ccde4c88bec3fa78114e1ede9545ed98678
tags/15.0.0.0rc1
Colleen Murphy 6 months ago
parent
commit
bc202f7043
1 changed files with 29 additions and 23 deletions
  1. 29
    23
      doc/source/admin/federation/configure_federation.rst

+ 29
- 23
doc/source/admin/federation/configure_federation.rst View File

@@ -18,23 +18,11 @@ Configuring Keystone for Federation
18 18
 Keystone as a Service Provider (SP)
19 19
 -----------------------------------
20 20
 
21
-.. NOTE::
22
-
23
-    This feature is considered stable and supported as of the Juno release.
24
-
25 21
 Prerequisites
26 22
 -------------
27 23
 
28
-This approach to federation supports keystone as a Service Provider, consuming
29
-identity properties issued by an external Identity Provider, such as SAML
30
-assertions or OpenID Connect claims, or by using
31
-`Keystone as an Identity Provider (IdP)`_.
32
-
33
-Federated users are not mirrored in the keystone identity backend
34
-(for example, using the SQL driver). The external Identity Provider is
35
-responsible for authenticating users, and communicates the result of
36
-authentication to keystone using identity properties. Keystone maps these
37
-values to keystone user groups and assignments created in keystone.
24
+If you are not familiar with the idea of federated identity, see the
25
+`introduction`_ first.
38 26
 
39 27
 In this section, we will configure keystone as a Service Provider, consuming
40 28
 identity properties issued by an external Identity Provider, such as SAML
@@ -46,14 +34,29 @@ up keystone with a dummy SAML provider first and then reconfigure it to point to
46 34
 the keystone Identity Provider later.
47 35
 
48 36
 The following configuration steps were performed on a machine running
49
-Ubuntu 14.04 and Apache 2.4.7.
37
+Ubuntu 16.04 and Apache 2.4.18.
38
+
39
+To enable federation, you'll need to run keystone behind a web server such as
40
+Apache rather than running the WSGI application directly with uWSGI or Gunicorn.
41
+See the installation guide for `SUSE`_, `RedHat`_ or `Ubuntu`_ to configure
42
+the Apache web server for keystone.
43
+
44
+Throughout the rest of the guide, you will need to decide on three pieces of
45
+information and use them consistently throughout your configuration:
46
+
47
+1. The protocol name. This must be a valid keystone auth method and must match
48
+   one of: ``saml2``, ``openid``, ``mapped`` or a `custom auth method`_ for which
49
+   you must `register as an external driver`_.
50
+
51
+2. The identity provider name. This can be arbitrary.
50 52
 
51
-To enable federation, you'll need to:
53
+3. The entity ID of the service provider. This should be a URN but need not
54
+   resolve to anything.
52 55
 
53
-1. Run keystone under Apache for `SUSE`_, `RedHat`_ or `Ubuntu`_, rather than
54
-   using uwsgi command.
55
-2. `Configure Apache to use a federation capable authentication method`_.
56
-3. `Configure Federation in Keystone`_.
56
+You will also need to decide what HTTPD module to use as a Service Provider.
57
+This guide provides examples for ``mod_shib`` and ``mod_auth_mellon`` as SAML
58
+service providers, and ``mod_auth_openidc`` as an OpenID Connect Service
59
+Provider.
57 60
 
58 61
 .. note::
59 62
 
@@ -64,10 +67,13 @@ To enable federation, you'll need to:
64 67
    ``/identity`` (for example), take this into account in your own
65 68
    configuration.
66 69
 
70
+.. _introduction: introduction
67 71
 .. _samltest.id: https://samltest.id
68
-.. _`SUSE`: ../../install/keystone-install-obs.html#configure-the-apache-http-server
69
-.. _`RedHat`: ../../install/keystone-install-rdo.html#configure-the-apache-http-server
70
-.. _`Ubuntu`: ../../install/keystone-install-ubuntu.html#configure-the-apache-http-server
72
+.. _SUSE: ../../install/keystone-install-obs.html#configure-the-apache-http-server
73
+.. _RedHat: ../../install/keystone-install-rdo.html#configure-the-apache-http-server
74
+.. _Ubuntu: ../../install/keystone-install-ubuntu.html#configure-the-apache-http-server
75
+.. _custom auth method: ../../contributor/auth-plugins
76
+.. _register as an external driver: ../../contributor/developing-drivers
71 77
 
72 78
 Configure Apache to use a federation capable authentication method
73 79
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Loading…
Cancel
Save