openstack
/
keystone
Code Issues Proposed changes

Upload service provider metadata to testshib 

In order to register the service provider in testshib, we need to upload
its metadata.

Also makes some minor fixes.

Change-Id: Idfe0eb016370e7776de3525a813d0535cfc75e27
This commit is contained in:
Rodrigo Duarte Sousa 2016-11-22 10:10:28 -03:00
parent ec9e5b2b26
commit bd37276b5b
2 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devstack/files/federation/shib_apache_handler.txt
View File

@ -3,7 +3,7 @@
SetHandler shib SetHandler shib
</Location> </Location>
<Location /identity/v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth> <Location /identity/v3/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/mapped/auth>
ShibRequestSetting requireSession 1 ShibRequestSetting requireSession 1
AuthType shibboleth AuthType shibboleth
ShibExportAssertion Off ShibExportAssertion Off

23
devstack/lib/federation.sh
View File

@ -12,6 +12,10 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
IDP_ID=${IDP_ID:-testshib}
function install_federation { function install_federation {
if is_ubuntu; then if is_ubuntu; then
install_package libapache2-mod-shib2 install_package libapache2-mod-shib2
@ -22,12 +26,25 @@ function install_federation {
# Enable the Shibboleth module for Apache # Enable the Shibboleth module for Apache
sudo a2enmod shib2 sudo a2enmod shib2
else else
# Note(knikolla): For CentOS/RHEL, installing shibboleth is tricky # NOTE(knikolla): For CentOS/RHEL, installing shibboleth is tricky
# It requires adding a separate repo not officially supported # It requires adding a separate repo not officially supported
echo "Skipping installation of shibboleth for non ubuntu host" echo "Skipping installation of shibboleth for non ubuntu host"
fi fi
} }
function upload_sp_metadata {
local metadata_fname=${HOST_IP//./}_"$RANDOM"_sp
local metadata_url=http://$HOST_IP/Shibboleth.sso/Metadata
wget $metadata_url -O $FILES/$metadata_fname
if [[ $? -ne 0 ]]; then
echo "Not found: $metadata_url"
return
fi
curl --form userfile=@"$FILES/${metadata_fname}" "https://www.testshib.org/procupload.php"
}
function configure_federation { function configure_federation {
local keystone_apache_conf=$(apache_site_config_for keystone) local keystone_apache_conf=$(apache_site_config_for keystone)
@ -50,8 +67,12 @@ function configure_federation {
# Enable the mapped auth method in /etc/keystone.conf # Enable the mapped auth method in /etc/keystone.conf
iniset $KEYSTONE_CONF auth methods "external,password,token,mapped" iniset $KEYSTONE_CONF auth methods "external,password,token,mapped"
# Specify the header that contains information about the identity provider # Specify the header that contains information about the identity provider
iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider" iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider"
# Register the service provider
upload_sp_metadata
} }
function register_federation { function register_federation {