4 Commits

Author SHA1 Message Date
Colleen Murphy
e4fe2659c4 Switch devstack plugin to samltest.id
testshib.org is no longer maintained and has been broken for some
time[1]. Use the new samltest.id provider instead.

This is not a permanent solution, this is a stopgap measure until we
configure our own IdP in the devstack plugin.

[1] https://marc.info/?l=shibboleth-users&m=154056288800549&w=2

Change-Id: Ifa514395d9cdb2197ef8a43885ec598483dd7a38
2018-11-06 23:02:36 +01:00
Kristi Nikolla
1394b0c6b1 Make the devstack plugin more configurable for federation
* In shibboleth2.xml make the ENTITY_ID and METADATA_URL
  configurable.
* Copy over an attribute map that includes support for
  keystone as an idp attributes.

bp devstack-plugin

Change-Id: I40157b00e5d084dcc6bb5b1f4be7d9cd3a8a0fc7
2017-07-17 16:38:08 -04:00
Rodrigo Duarte Sousa
bd37276b5b Upload service provider metadata to testshib
In order to register the service provider in testshib, we need to upload
its metadata.

Also makes some minor fixes.

Change-Id: Idfe0eb016370e7776de3525a813d0535cfc75e27
2016-11-28 23:44:01 -03:00
Kristi Nikolla
fbafc06ac6 Devstack plugin to federate with testshib.org
In a previous patch, I implemented a Devstack plugin to enable
federation and idp features in keystone. The plugin was to be
configured from environment variables for the idp entityID, metadata,
sp_auth_url, sp_url, etc. Providing an endless and untestable matrix
of combinations. Therefore the review was gathering dust waiting for
brave reviewers.

This review extracts the meat of the previous patch and removes all
the configuration options. This plugin now does one thing only: It
installs mod_shibboleth and sets up testshib.org as the IdP for keystone.

While testshib.org will not be used in our functional testing, this
is a necessary first step to make such complex changes more testable
reproducible and reviewable.

A follow-up patch will install a shibboleth-idp, and either that one,
or a later one, will switch from testshib.org to the local shibboleth.

This plugin will not yet be run as part of the gate, as "enable_service
federation" needs to be added to the Devstack options.

To run add the following after the lines that set up keystone from a
gerrit review:

enable_plugin keystone $KEYSTONE_REPO
enable_service keystone-saml2-federation

Change-Id: I6f7491ff063359d7065c77b00fe5bfc76f8587d6
2016-11-17 13:54:42 -05:00