group federated identity docs together
several of the federated identity docs were spread out in hard to find locations. this puts the documentation more front and centrer. expect detailed changes for each docs in future patches. Change-Id: I82ba117dfd02f921d72b9f010becad57da03e090
This commit is contained in:
parent
89d294a87e
commit
e082c72861
|
@ -11,7 +11,6 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
===================================
|
|
||||||
Configuring Keystone for Federation
|
Configuring Keystone for Federation
|
||||||
===================================
|
===================================
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
==================
|
||||||
|
Federated Identity
|
||||||
|
==================
|
||||||
|
|
||||||
|
Keystone's one-stop-shop for all federated identity documentation.
|
||||||
|
|
||||||
|
.. include:: configure_federation.rst
|
||||||
|
.. include:: mapping_combinations.rst
|
||||||
|
.. include:: mapping_schema.rst
|
||||||
|
.. include:: openidc.rst
|
||||||
|
.. include:: mellon.rst
|
||||||
|
.. include:: shibboleth.rst
|
||||||
|
.. include:: websso.rst
|
|
@ -11,9 +11,8 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
===================================
|
Mapping Combinations
|
||||||
Mapping Combinations for Federation
|
====================
|
||||||
===================================
|
|
||||||
|
|
||||||
-----------
|
-----------
|
||||||
Description
|
Description
|
|
@ -11,10 +11,10 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
=============================
|
Mapping Schema
|
||||||
Mapping Schema for Federation
|
==============
|
||||||
=============================
|
|
||||||
|
|
||||||
|
-----------
|
||||||
Description
|
Description
|
||||||
-----------
|
-----------
|
||||||
|
|
||||||
|
@ -24,6 +24,7 @@ It shows all the requirements and possibilities for a JSON to be used for mappin
|
||||||
Mapping schema is validated with `JSON Schema
|
Mapping schema is validated with `JSON Schema
|
||||||
<http://json-schema.org/documentation.html>`__
|
<http://json-schema.org/documentation.html>`__
|
||||||
|
|
||||||
|
--------------
|
||||||
Mapping Schema
|
Mapping Schema
|
||||||
--------------
|
--------------
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
:orphan:
|
|
||||||
|
|
||||||
..
|
..
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
not use this file except in compliance with the License. You may obtain
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
@ -13,12 +11,12 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
==============================
|
Setup Mellon
|
||||||
Setup Mellon (mod_auth_mellon)
|
============
|
||||||
==============================
|
|
||||||
|
|
||||||
|
------------------------------------------
|
||||||
Configure Apache HTTPD for mod_auth_mellon
|
Configure Apache HTTPD for mod_auth_mellon
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
------------------------------------------
|
||||||
|
|
||||||
Follow the steps outlined at: `Running Keystone in HTTPD`_.
|
Follow the steps outlined at: `Running Keystone in HTTPD`_.
|
||||||
|
|
||||||
|
@ -38,7 +36,9 @@ Add *WSGIScriptAlias* directive to your vhost configuration::
|
||||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1
|
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1
|
||||||
|
|
||||||
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
|
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
|
||||||
a *<Location>* directive for each identity provider::
|
a *<Location>* directive for each identity provider
|
||||||
|
|
||||||
|
..code-block:: xml
|
||||||
|
|
||||||
<Location /v3>
|
<Location /v3>
|
||||||
MellonEnable "info"
|
MellonEnable "info"
|
||||||
|
@ -84,8 +84,9 @@ Restart the Apache instance that is serving Keystone, for example:
|
||||||
|
|
||||||
$ service apache2 restart
|
$ service apache2 restart
|
||||||
|
|
||||||
|
----------------------------------
|
||||||
Configuring the Mellon SP Metadata
|
Configuring the Mellon SP Metadata
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
----------------------------------
|
||||||
|
|
||||||
Mellon provides a script called ``mellon_create_metadata.sh`` which generates the
|
Mellon provides a script called ``mellon_create_metadata.sh`` which generates the
|
||||||
values for the config directives `MellonSPPrivateKeyFile`, `MellonSPCertFile`,
|
values for the config directives `MellonSPPrivateKeyFile`, `MellonSPCertFile`,
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
:orphan:
|
|
||||||
|
|
||||||
..
|
..
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
not use this file except in compliance with the License. You may obtain
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
@ -13,12 +11,12 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
====================
|
|
||||||
Setup OpenID Connect
|
Setup OpenID Connect
|
||||||
====================
|
====================
|
||||||
|
|
||||||
|
----------------------------
|
||||||
Configuring mod_auth_openidc
|
Configuring mod_auth_openidc
|
||||||
============================
|
----------------------------
|
||||||
|
|
||||||
Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_)
|
Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_)
|
||||||
|
|
||||||
|
@ -82,8 +80,9 @@ Once you are done, restart your Apache daemon:
|
||||||
|
|
||||||
$ service apache2 restart
|
$ service apache2 restart
|
||||||
|
|
||||||
|
----
|
||||||
Tips
|
Tips
|
||||||
====
|
----
|
||||||
|
|
||||||
1. When creating a mapping, note that the 'remote' attributes will be prefixed,
|
1. When creating a mapping, note that the 'remote' attributes will be prefixed,
|
||||||
with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a
|
with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
:orphan:
|
|
||||||
|
|
||||||
..
|
..
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
not use this file except in compliance with the License. You may obtain
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
@ -13,12 +11,12 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
================
|
|
||||||
Setup Shibboleth
|
Setup Shibboleth
|
||||||
================
|
================
|
||||||
|
|
||||||
|
-----------------------------------------
|
||||||
Configure Apache HTTPD for mod_shibboleth
|
Configure Apache HTTPD for mod_shibboleth
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
-----------------------------------------
|
||||||
|
|
||||||
Follow the steps outlined at: `Running Keystone in HTTPD`_.
|
Follow the steps outlined at: `Running Keystone in HTTPD`_.
|
||||||
|
|
||||||
|
@ -88,8 +86,9 @@ Restart Apache, for example:
|
||||||
|
|
||||||
$ service apache2 restart
|
$ service apache2 restart
|
||||||
|
|
||||||
|
---------------------------
|
||||||
Configuring shibboleth2.xml
|
Configuring shibboleth2.xml
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
---------------------------
|
||||||
|
|
||||||
Once you have your Keystone vhost (virtual host) ready, it's then time to
|
Once you have your Keystone vhost (virtual host) ready, it's then time to
|
||||||
configure Shibboleth and upload your Metadata to the Identity Provider.
|
configure Shibboleth and upload your Metadata to the Identity Provider.
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
:orphan:
|
|
||||||
|
|
||||||
..
|
..
|
||||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
not use this file except in compliance with the License. You may obtain
|
not use this file except in compliance with the License. You may obtain
|
||||||
|
@ -13,12 +11,12 @@
|
||||||
License for the specific language governing permissions and limitations
|
License for the specific language governing permissions and limitations
|
||||||
under the License.
|
under the License.
|
||||||
|
|
||||||
===============================
|
Setup Web Single Sign-On (SSO)
|
||||||
Keystone Federation and Horizon
|
==============================
|
||||||
===============================
|
|
||||||
|
|
||||||
|
----------------
|
||||||
Keystone Changes
|
Keystone Changes
|
||||||
================
|
----------------
|
||||||
|
|
||||||
1. Update `trusted_dashboard` in keystone.conf.
|
1. Update `trusted_dashboard` in keystone.conf.
|
||||||
|
|
||||||
|
@ -208,8 +206,9 @@ Or by using the `OpenStackClient CLI`_:
|
||||||
.. _`OpenStackClient CLI`: http://docs.openstack.org/developer/python-openstackclient/command-objects/identity-provider.html#identity-provider-set
|
.. _`OpenStackClient CLI`: http://docs.openstack.org/developer/python-openstackclient/command-objects/identity-provider.html#identity-provider-set
|
||||||
.. _`OS-FEDERATION API`: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#update-identity-provider
|
.. _`OS-FEDERATION API`: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#update-identity-provider
|
||||||
|
|
||||||
|
---------------
|
||||||
Horizon Changes
|
Horizon Changes
|
||||||
===============
|
---------------
|
||||||
|
|
||||||
.. NOTE::
|
.. NOTE::
|
||||||
|
|
||||||
|
|
|
@ -59,12 +59,14 @@ Getting Started
|
||||||
Advanced Topics
|
Advanced Topics
|
||||||
===============
|
===============
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 2
|
||||||
|
|
||||||
|
federation/federated_identity
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
configure_federation
|
|
||||||
mapping_combinations
|
|
||||||
mapping_schema
|
|
||||||
configure_tokenless_x509
|
configure_tokenless_x509
|
||||||
auth-totp
|
auth-totp
|
||||||
event_notifications
|
event_notifications
|
||||||
|
|
Loading…
Reference in New Issue