Merge "Correct and enhance OpenId Connect docs"
This commit is contained in:
commit
f89335b09d
doc/source/federation
@ -168,14 +168,14 @@ Provider we will use to authenticate end users:
|
||||
|
||||
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
|
||||
|
||||
The value for the ``remote-id`` option is the Entity ID provided by the IdP,
|
||||
which can be found as the EntityDescriptor entityID in the IdP's provided
|
||||
metadata. If the IdP is a keystone IdP, it is the value set in that keystone's
|
||||
``[saml]/idp_entity_id`` option. It will usually appear as a URI but there is
|
||||
no requirement for it to resolve to anything and may be arbitrarily decided by
|
||||
the administrator of the IdP. The local name, here called 'myidp', is decided
|
||||
by you and will be used by the mapping and protocol, and later for
|
||||
authentication.
|
||||
The value for the ``remote-id`` option is the unique identifier provided by the
|
||||
IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
|
||||
provided metadata. If the IdP is a keystone IdP, it is the value set in that
|
||||
keystone's ``[saml]/idp_entity_id`` option. For an OpenID Connect IdP, it is
|
||||
the IdP's Issuer Identifier. It will usually appear as a URI but there is no
|
||||
requirement for it to resolve to anything and may be arbitrarily decided by the
|
||||
administrator of the IdP. The local name, here called 'myidp', is decided by
|
||||
you and will be used by the mapping and protocol, and later for authentication.
|
||||
|
||||
A keystone identity provider may have multiple `remote_ids` specified, this
|
||||
allows the same *keystone* identity provider resource to be used with multiple
|
||||
@ -193,10 +193,10 @@ This removes the need to configure N identity providers in keystone.
|
||||
`remote_id_attribute` key.
|
||||
|
||||
For example, if our identity provider is ``google``, the mapping used is
|
||||
``google_mapping`` and the protocol is ``oidc``. The identity provider's
|
||||
remote IDs would be: [``accounts.google.com``].
|
||||
``google_mapping`` and the protocol is ``openid``. The identity provider's
|
||||
remote IDs would be: [``https://accounts.google.com``].
|
||||
The `remote_id_attribute` value may be set to ``HTTP_OIDC_ISS``, since
|
||||
this value will always be ``accounts.google.com``.
|
||||
this value will always be ``https://accounts.google.com``.
|
||||
|
||||
The motivation for this approach is that there will always be some data
|
||||
sent by the identity provider (in the assertion or claim) that uniquely
|
||||
|
@ -28,19 +28,18 @@ To install `mod_auth_openidc` on Ubuntu, perform the following:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo apt-get install libapache2-mod-auth-openidc
|
||||
$ sudo apt-get install libapache2-mod-auth-openidc
|
||||
|
||||
This module is available for other distributions (Fedora/CentOS/Red Hat) from:
|
||||
https://github.com/pingidentity/mod_auth_openidc/releases
|
||||
|
||||
In the keystone Apache site file, add the following as a top level option, to
|
||||
load the `mod_auth_openidc` module:
|
||||
Enable the auth_openidc module:
|
||||
|
||||
.. code-block:: xml
|
||||
.. code-block:: bash
|
||||
|
||||
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
|
||||
$ sudo a2enmod auth_openidc
|
||||
|
||||
Also within the same file, locate the virtual host entry and add the following
|
||||
In the keystone vhost file, locate the virtual host entry and add the following
|
||||
entries for OpenID Connect:
|
||||
|
||||
.. code-block:: xml
|
||||
@ -56,9 +55,9 @@ entries for OpenID Connect:
|
||||
OIDCClientID <openid_client_id>
|
||||
OIDCClientSecret <openid_client_secret>
|
||||
OIDCCryptoPassphrase openstack
|
||||
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect
|
||||
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
|
||||
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
LogLevel debug
|
||||
@ -80,17 +79,18 @@ Once you are done, restart your Apache daemon:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ service apache2 restart
|
||||
$ sudo service apache2 restart
|
||||
|
||||
----
|
||||
Tips
|
||||
----
|
||||
|
||||
1. When creating a mapping, note that the 'remote' attributes will be prefixed,
|
||||
1. When creating a `mapping`_, note that the 'remote' attributes will be prefixed,
|
||||
with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a
|
||||
typical remote value to check for is: `HTTP_OIDC_ISS`.
|
||||
|
||||
2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see
|
||||
2. Don't forget to add openid as an [auth] plugin in keystone.conf, see
|
||||
`Configure authentication drivers in keystone.conf`_
|
||||
|
||||
.. _`Configure authentication drivers in keystone.conf`: federated_identity.html#configure-authentication-drivers-in-keystone-conf
|
||||
.. _`mapping`: configure_federation.html#mapping
|
||||
|
@ -74,17 +74,17 @@ If `mod_auth_openidc` is used, then use the following as an example:
|
||||
|
||||
<VirtualHost *:5000>
|
||||
|
||||
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/websso/redirect
|
||||
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/identity_providers/myidp/protocol/oidc/websso/redirect
|
||||
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/websso
|
||||
OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
|
||||
|
||||
...
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/oidc/websso">
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
...
|
||||
@ -159,7 +159,7 @@ It is recommended that this option be set on a per-protocol basis.
|
||||
|
||||
[mapped]
|
||||
remote_id_attribute = Shib-Identity-Provider
|
||||
[oidc]
|
||||
[openid]
|
||||
remote_id_attribute = HTTP_OIDC_ISS
|
||||
|
||||
Alternatively, a generic option may be set at the `[federation]` level.
|
||||
@ -207,9 +207,9 @@ identity backend.
|
||||
|
||||
WEBSSO_CHOICES = (
|
||||
("credentials", _("Keystone Credentials")),
|
||||
("oidc", _("OpenID Connect")),
|
||||
("openid", _("OpenID Connect")),
|
||||
("mapped", _("Security Assertion Markup Language")),
|
||||
("myidp_oidc", "Acme Corporation - OpenID Connect"),
|
||||
("myidp_openid", "Acme Corporation - OpenID Connect"),
|
||||
("myidp_mapped", "Acme Corporation - SAML2")
|
||||
)
|
||||
|
||||
@ -226,7 +226,7 @@ protocol endpoint.
|
||||
.. code-block:: python
|
||||
|
||||
WEBSSO_IDP_MAPPING = {
|
||||
"myidp_oidc": ("myidp", "oidc"),
|
||||
"myidp_openid": ("myidp", "openid"),
|
||||
"myidp_mapped": ("myidp", "mapped")
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user