diff --git a/doc/source/configure_federation.rst b/doc/source/federation/configure_federation.rst similarity index 99% rename from doc/source/configure_federation.rst rename to doc/source/federation/configure_federation.rst index 644d3175cc..53d28acfd2 100644 --- a/doc/source/configure_federation.rst +++ b/doc/source/federation/configure_federation.rst @@ -11,7 +11,6 @@ License for the specific language governing permissions and limitations under the License. -=================================== Configuring Keystone for Federation =================================== diff --git a/doc/source/federation/federated_identity.rst b/doc/source/federation/federated_identity.rst new file mode 100644 index 0000000000..ddbe14738d --- /dev/null +++ b/doc/source/federation/federated_identity.rst @@ -0,0 +1,13 @@ +================== +Federated Identity +================== + +Keystone's one-stop-shop for all federated identity documentation. + +.. include:: configure_federation.rst +.. include:: mapping_combinations.rst +.. include:: mapping_schema.rst +.. include:: openidc.rst +.. include:: mellon.rst +.. include:: shibboleth.rst +.. include:: websso.rst diff --git a/doc/source/mapping_combinations.rst b/doc/source/federation/mapping_combinations.rst similarity index 99% rename from doc/source/mapping_combinations.rst rename to doc/source/federation/mapping_combinations.rst index 1b275a4a16..313b6512a1 100644 --- a/doc/source/mapping_combinations.rst +++ b/doc/source/federation/mapping_combinations.rst @@ -11,9 +11,8 @@ License for the specific language governing permissions and limitations under the License. -=================================== -Mapping Combinations for Federation -=================================== +Mapping Combinations +==================== ----------- Description diff --git a/doc/source/mapping_schema.rst b/doc/source/federation/mapping_schema.rst similarity index 98% rename from doc/source/mapping_schema.rst rename to doc/source/federation/mapping_schema.rst index 036df82711..7e00e6f116 100644 --- a/doc/source/mapping_schema.rst +++ b/doc/source/federation/mapping_schema.rst @@ -11,10 +11,10 @@ License for the specific language governing permissions and limitations under the License. -============================= -Mapping Schema for Federation -============================= +Mapping Schema +============== +----------- Description ----------- @@ -24,6 +24,7 @@ It shows all the requirements and possibilities for a JSON to be used for mappin Mapping schema is validated with `JSON Schema `__ +-------------- Mapping Schema -------------- diff --git a/doc/source/federation/mellon.rst b/doc/source/federation/mellon.rst index 9c4675b7eb..871110f35e 100644 --- a/doc/source/federation/mellon.rst +++ b/doc/source/federation/mellon.rst @@ -1,5 +1,3 @@ -:orphan: - .. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain @@ -13,12 +11,12 @@ License for the specific language governing permissions and limitations under the License. -============================== -Setup Mellon (mod_auth_mellon) -============================== +Setup Mellon +============ +------------------------------------------ Configure Apache HTTPD for mod_auth_mellon -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------------------------ Follow the steps outlined at: `Running Keystone in HTTPD`_. @@ -38,7 +36,9 @@ Add *WSGIScriptAlias* directive to your vhost configuration:: WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1 Make sure the *wsgi-keystone.conf* contains a ** directive for the Mellon module and -a ** directive for each identity provider:: +a ** directive for each identity provider + +..code-block:: xml MellonEnable "info" @@ -84,8 +84,9 @@ Restart the Apache instance that is serving Keystone, for example: $ service apache2 restart +---------------------------------- Configuring the Mellon SP Metadata -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------------- Mellon provides a script called ``mellon_create_metadata.sh`` which generates the values for the config directives `MellonSPPrivateKeyFile`, `MellonSPCertFile`, diff --git a/doc/source/federation/openidc.rst b/doc/source/federation/openidc.rst index ece82d3afd..4ad940b3ab 100644 --- a/doc/source/federation/openidc.rst +++ b/doc/source/federation/openidc.rst @@ -1,5 +1,3 @@ -:orphan: - .. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain @@ -13,12 +11,12 @@ License for the specific language governing permissions and limitations under the License. -==================== Setup OpenID Connect ==================== +---------------------------- Configuring mod_auth_openidc -============================ +---------------------------- Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_) @@ -82,8 +80,9 @@ Once you are done, restart your Apache daemon: $ service apache2 restart +---- Tips -==== +---- 1. When creating a mapping, note that the 'remote' attributes will be prefixed, with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a diff --git a/doc/source/federation/shibboleth.rst b/doc/source/federation/shibboleth.rst index b82bd7036a..a9fd9e6c9a 100644 --- a/doc/source/federation/shibboleth.rst +++ b/doc/source/federation/shibboleth.rst @@ -1,5 +1,3 @@ -:orphan: - .. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain @@ -13,12 +11,12 @@ License for the specific language governing permissions and limitations under the License. -================ Setup Shibboleth ================ +----------------------------------------- Configure Apache HTTPD for mod_shibboleth -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------- Follow the steps outlined at: `Running Keystone in HTTPD`_. @@ -88,8 +86,9 @@ Restart Apache, for example: $ service apache2 restart +--------------------------- Configuring shibboleth2.xml -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Once you have your Keystone vhost (virtual host) ready, it's then time to configure Shibboleth and upload your Metadata to the Identity Provider. diff --git a/doc/source/federation/websso.rst b/doc/source/federation/websso.rst index 682449ac8d..4e3c6658da 100644 --- a/doc/source/federation/websso.rst +++ b/doc/source/federation/websso.rst @@ -1,5 +1,3 @@ -:orphan: - .. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain @@ -13,12 +11,12 @@ License for the specific language governing permissions and limitations under the License. -=============================== -Keystone Federation and Horizon -=============================== +Setup Web Single Sign-On (SSO) +============================== +---------------- Keystone Changes -================ +---------------- 1. Update `trusted_dashboard` in keystone.conf. @@ -208,8 +206,9 @@ Or by using the `OpenStackClient CLI`_: .. _`OpenStackClient CLI`: http://docs.openstack.org/developer/python-openstackclient/command-objects/identity-provider.html#identity-provider-set .. _`OS-FEDERATION API`: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#update-identity-provider +--------------- Horizon Changes -=============== +--------------- .. NOTE:: diff --git a/doc/source/index.rst b/doc/source/index.rst index 75bee3e95f..402662d2a7 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -59,12 +59,14 @@ Getting Started Advanced Topics =============== +.. toctree:: + :maxdepth: 2 + + federation/federated_identity + .. toctree:: :maxdepth: 1 - configure_federation - mapping_combinations - mapping_schema configure_tokenless_x509 auth-totp event_notifications