Merge "Correct and enhance OpenId Connect docs"

This commit is contained in:
Jenkins 2017-02-27 22:00:40 +00:00 committed by Gerrit Code Review
commit f89335b09d
3 changed files with 30 additions and 30 deletions

View File

@ -168,14 +168,14 @@ Provider we will use to authenticate end users:
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
The value for the ``remote-id`` option is the Entity ID provided by the IdP,
which can be found as the EntityDescriptor entityID in the IdP's provided
metadata. If the IdP is a keystone IdP, it is the value set in that keystone's
``[saml]/idp_entity_id`` option. It will usually appear as a URI but there is
no requirement for it to resolve to anything and may be arbitrarily decided by
the administrator of the IdP. The local name, here called 'myidp', is decided
by you and will be used by the mapping and protocol, and later for
authentication.
The value for the ``remote-id`` option is the unique identifier provided by the
IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
provided metadata. If the IdP is a keystone IdP, it is the value set in that
keystone's ``[saml]/idp_entity_id`` option. For an OpenID Connect IdP, it is
the IdP's Issuer Identifier. It will usually appear as a URI but there is no
requirement for it to resolve to anything and may be arbitrarily decided by the
administrator of the IdP. The local name, here called 'myidp', is decided by
you and will be used by the mapping and protocol, and later for authentication.
A keystone identity provider may have multiple `remote_ids` specified, this
allows the same *keystone* identity provider resource to be used with multiple
@ -193,10 +193,10 @@ This removes the need to configure N identity providers in keystone.
`remote_id_attribute` key.
For example, if our identity provider is ``google``, the mapping used is
``google_mapping`` and the protocol is ``oidc``. The identity provider's
remote IDs would be: [``accounts.google.com``].
``google_mapping`` and the protocol is ``openid``. The identity provider's
remote IDs would be: [``https://accounts.google.com``].
The `remote_id_attribute` value may be set to ``HTTP_OIDC_ISS``, since
this value will always be ``accounts.google.com``.
this value will always be ``https://accounts.google.com``.
The motivation for this approach is that there will always be some data
sent by the identity provider (in the assertion or claim) that uniquely

View File

@ -28,19 +28,18 @@ To install `mod_auth_openidc` on Ubuntu, perform the following:
.. code-block:: bash
sudo apt-get install libapache2-mod-auth-openidc
$ sudo apt-get install libapache2-mod-auth-openidc
This module is available for other distributions (Fedora/CentOS/Red Hat) from:
https://github.com/pingidentity/mod_auth_openidc/releases
In the keystone Apache site file, add the following as a top level option, to
load the `mod_auth_openidc` module:
Enable the auth_openidc module:
.. code-block:: xml
.. code-block:: bash
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
$ sudo a2enmod auth_openidc
Also within the same file, locate the virtual host entry and add the following
In the keystone vhost file, locate the virtual host entry and add the following
entries for OpenID Connect:
.. code-block:: xml
@ -56,9 +55,9 @@ entries for OpenID Connect:
OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase openstack
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
AuthType openid-connect
Require valid-user
LogLevel debug
@ -80,17 +79,18 @@ Once you are done, restart your Apache daemon:
.. code-block:: bash
$ service apache2 restart
$ sudo service apache2 restart
----
Tips
----
1. When creating a mapping, note that the 'remote' attributes will be prefixed,
1. When creating a `mapping`_, note that the 'remote' attributes will be prefixed,
with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a
typical remote value to check for is: `HTTP_OIDC_ISS`.
2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see
2. Don't forget to add openid as an [auth] plugin in keystone.conf, see
`Configure authentication drivers in keystone.conf`_
.. _`Configure authentication drivers in keystone.conf`: federated_identity.html#configure-authentication-drivers-in-keystone-conf
.. _`mapping`: configure_federation.html#mapping

View File

@ -74,17 +74,17 @@ If `mod_auth_openidc` is used, then use the following as an example:
<VirtualHost *:5000>
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/websso/redirect
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/identity_providers/myidp/protocol/oidc/websso/redirect
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/websso
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
...
<Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
AuthType openid-connect
Require valid-user
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/oidc/websso">
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
AuthType openid-connect
Require valid-user
...
@ -159,7 +159,7 @@ It is recommended that this option be set on a per-protocol basis.
[mapped]
remote_id_attribute = Shib-Identity-Provider
[oidc]
[openid]
remote_id_attribute = HTTP_OIDC_ISS
Alternatively, a generic option may be set at the `[federation]` level.
@ -207,9 +207,9 @@ identity backend.
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("oidc", _("OpenID Connect")),
("openid", _("OpenID Connect")),
("mapped", _("Security Assertion Markup Language")),
("myidp_oidc", "Acme Corporation - OpenID Connect"),
("myidp_openid", "Acme Corporation - OpenID Connect"),
("myidp_mapped", "Acme Corporation - SAML2")
)
@ -226,7 +226,7 @@ protocol endpoint.
.. code-block:: python
WEBSSO_IDP_MAPPING = {
"myidp_oidc": ("myidp", "oidc"),
"myidp_openid": ("myidp", "openid"),
"myidp_mapped": ("myidp", "mapped")
}