openstack/keystone
Code Issues Proposed changes

Switch devstack plugin to samltest.id

Browse Source 
testshib.org is no longer maintained and has been broken for some
time[1]. Use the new samltest.id provider instead.

This is not a permanent solution, this is a stopgap measure until we
configure our own IdP in the devstack plugin.

[1] https://marc.info/?l=shibboleth-users&m=154056288800549&w=2

Change-Id: Ifa514395d9cdb2197ef8a43885ec598483dd7a38
This commit is contained in:
Colleen Murphy 2018-11-03 21:55:42 +01:00
parent c785729efe
commit e4fe2659c4
2 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
devstack/files/federation/attribute-map.xml
View File

@ -63,4 +63,7 @@
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/> <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute> </Attribute>
<!-- UID attribute used by samltest.id -->
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" />
</Attributes> </Attributes>

23
devstack/lib/federation.sh
View File

@ -16,15 +16,14 @@ DOMAIN_NAME=${DOMAIN_NAME:-federated_domain}
PROJECT_NAME=${PROJECT_NAME:-federated_project} PROJECT_NAME=${PROJECT_NAME:-federated_project}
GROUP_NAME=${GROUP_NAME:-federated_users} GROUP_NAME=${GROUP_NAME:-federated_users}
# TODO(rodrigods): remove/update the settings based at testshib IDP_ID=${IDP_ID:-samltest}
IDP_ID=${IDP_ID:-testshib} IDP_USERNAME=${IDP_USERNAME:-morty}
IDP_USERNAME=${IDP_USERNAME:-myself} IDP_PASSWORD=${IDP_PASSWORD:-panic}
IDP_PASSWORD=${IDP_PASSWORD:-myself} IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://samltest.id/saml/idp}
IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://idp.testshib.org/idp/shibboleth} IDP_ECP_URL=${IDP_ECP_URL:-https://samltest.id/idp/profile/SAML2/SOAP/ECP}
IDP_ECP_URL=${IDP_ECP_URL:-https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP} IDP_METADATA_URL=${IDP_METADATA_URL:-https://samltest.id/saml/idp}
IDP_METADATA_URL=${IDP_METADATA_URL:-http://www.testshib.org/metadata/testshib-providers.xml}
MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-eppn} MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-uid}
MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"} MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"}
PROTOCOL_ID=${PROTOCOL_ID:-mapped} PROTOCOL_ID=${PROTOCOL_ID:-mapped}
@ -74,7 +73,7 @@ function install_federation {
fi fi
} }
function upload_sp_metadata_to_testshib { function upload_sp_metadata_to_samltest {
local metadata_fname=${HOST_IP//./}_"$RANDOM"_sp local metadata_fname=${HOST_IP//./}_"$RANDOM"_sp
local metadata_url=http://$HOST_IP/Shibboleth.sso/Metadata local metadata_url=http://$HOST_IP/Shibboleth.sso/Metadata
@ -84,7 +83,7 @@ function upload_sp_metadata_to_testshib {
return return
fi fi
curl --form userfile=@"$FILES/${metadata_fname}" "https://www.testshib.org/procupload.php" curl --form userfile=@"$FILES/${metadata_fname}" --form "submit=OK" "https://samltest.id/upload.php"
} }
function configure_federation { function configure_federation {
@ -115,8 +114,8 @@ function configure_federation {
# TODO(knikolla): We should not be relying on an external service. This # TODO(knikolla): We should not be relying on an external service. This
# will be removed once we have an idp deployed during devstack install. # will be removed once we have an idp deployed during devstack install.
if [[ "$IDP_ID" == "testshib" ]]; then if [[ "$IDP_ID" == "samltest" ]]; then
upload_sp_metadata_to_testshib upload_sp_metadata_to_samltest
fi fi
} }