testshib.org is no longer maintained and has been broken for some
time[1]. Use the new samltest.id provider instead.
This is not a permanent solution, this is a stopgap measure until we
configure our own IdP in the devstack plugin.
[1] https://marc.info/?l=shibboleth-users&m=154056288800549&w=2
Change-Id: Ifa514395d9cdb2197ef8a43885ec598483dd7a38
* In shibboleth2.xml make the ENTITY_ID and METADATA_URL
configurable.
* Copy over an attribute map that includes support for
keystone as an idp attributes.
bp devstack-plugin
Change-Id: I40157b00e5d084dcc6bb5b1f4be7d9cd3a8a0fc7
In order to register the service provider in testshib, we need to upload
its metadata.
Also makes some minor fixes.
Change-Id: Idfe0eb016370e7776de3525a813d0535cfc75e27
In a previous patch, I implemented a Devstack plugin to enable
federation and idp features in keystone. The plugin was to be
configured from environment variables for the idp entityID, metadata,
sp_auth_url, sp_url, etc. Providing an endless and untestable matrix
of combinations. Therefore the review was gathering dust waiting for
brave reviewers.
This review extracts the meat of the previous patch and removes all
the configuration options. This plugin now does one thing only: It
installs mod_shibboleth and sets up testshib.org as the IdP for keystone.
While testshib.org will not be used in our functional testing, this
is a necessary first step to make such complex changes more testable
reproducible and reviewable.
A follow-up patch will install a shibboleth-idp, and either that one,
or a later one, will switch from testshib.org to the local shibboleth.
This plugin will not yet be run as part of the gate, as "enable_service
federation" needs to be added to the Devstack options.
To run add the following after the lines that set up keystone from a
gerrit review:
enable_plugin keystone $KEYSTONE_REPO
enable_service keystone-saml2-federation
Change-Id: I6f7491ff063359d7065c77b00fe5bfc76f8587d6