8.5 KiB
Setting up Shibboleth
See keystone-as-sp
before proceeding with these Shibboleth-specific instructions.
Note
The examples below are for Ubuntu 16.04, for which only version 2 of the Shibboleth Service Provider is available. Version 3 is available for other distributions and the configuration should be identical to version 2.
Configuring Apache HTTPD for mod_shib
Note
You are advised to carefully examine the mod_shib Apache configuration documentation.
Configure keystone under Apache, following the steps in the install guide for SUSE, RedHat or Ubuntu.
Install the Module
Install the Apache module package. For example, on Ubuntu:
# apt-get install libapache2-mod-shib2
The package and module name will differ between distributions.
Configure Protected Endpoints
In the Apache configuration for the keystone VirtualHost, set an
additional <Location>
which is not part of keystone's
API:
<Location /Shibboleth.sso>
shib
SetHandler</Location>
If you are using mod_proxy
, for example to proxy
requests to the /identity
path to keystone's UWSGI service,
you must exempt this Shibboleth endpoint from it:
Shibboleth.sso ! Proxypass
Configure each protected path to use the shibboleth
AuthType:
<Location /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth>
valid-user
RequireAuthType shibboleth
ShibRequestSetting requireSession 1
ShibExportAssertion off<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On</IfVersion>
</Location>
Do the same for the WebSSO auth paths if using horizon as a single sign-on frontend:
<Location /v3/auth/OS-FEDERATION/websso/saml2>
valid-user
RequireAuthType shibboleth
ShibRequestSetting requireSession 1
ShibExportAssertion off<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On</IfVersion>
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/samltest/protocols/saml2/websso>
valid-user
RequireAuthType shibboleth
ShibRequestSetting requireSession 1
ShibExportAssertion off<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On</IfVersion>
</Location>
Remember to reload Apache after altering the VirtualHost:
# systemctl reload apache2
Configuring mod_shib
Note
You are advised to examine Shibboleth Service Provider Configuration documentation
Generate a keypair
For all SAML Service Providers, a PKI key pair must be generated and
exchanged with the Identity Provider. The mod_shib
package
on the Ubuntu distribution provides a utility to generate the key
pair:
# shib-keygen -y <number of years>
which will generate a key pair under /etc/shibboleth
. In
other cases, the package might generate the key pair automatically upon
installation.
Configure metadata
mod_shib
also has its own configuration file at
/etc/shibboleth/shibboleth2.xml
that must be altered, as
well as its own daemon. First, give the Service Provider an entity ID.
This is a URN that you choose that must be globally unique to the
Identity Provider:
ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth"
< REMOTE_USER="eppn persistent-id targeted-id">
Depending on your Identity Provider, you may also want to change the REMOTE_USER setting, more on that in a moment.
Set the entity ID of the Identity Provider (this is the same as the
value you provided for --remote-id
in Identity Provider):
SSO entityID="https://samltest.id/saml/idp"> <
Additionally, if you want to enable ECP (required for Keystone-to-Keystone), the SSO tag for this entity must also have the ECP flag set:
SSO entityID="https://samltest.id/saml/idp" ECP="true"> <
Tell Shibboleth where to find the metadata of the Identity Provider. You could either tell it to fetch it from a URI or point it to a local file. For example, pointing to a local file:
MetadataProvider type="XML" file="/etc/shibboleth/samltest-metadata.xml" /> <
or pointing to a remote location:
MetadataProvider type="XML" url="https://samltest.id/saml/idp"
< backingFile="samltest-metadata.xml" />
When you are finished configuring shibboleth2.xml
,
restart the shibd
daemon:
# systemctl restart shibd
Check the shibd
logs in
/var/log/shibboleth/shibd.log
and
/var/log/shibboleth/shibd_warn.log
for errors or
warnings.
Configure allowed attributes
Note
For more information see the attributes documentation
By default, mod_shib
does not pass all attributes
received from the Identity Provider to keystone. If your Identity
Provider does not use attributes known to shibd
, you must
configure them. For example, samltest.id
uses a custom UID attribute. It is not discoverable in the Identity
Provider metadata, but the attribute name and type is logged in the
mod_shib
logs when an authentication attempt is made. To
allow the attribute, add it to
/etc/shibboleth/attribute-map.xml
:
Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid" /> <
You may also want to use that attribute as a value for the
REMOTE_USER
variable, which will make the
REMOTE_USER
variable usable as a parameter to your mapping
rules. To do so, add it to
/etc/shibboleth/shibboleth2.xml
:
ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth"
< REMOTE_USER="uid">
Similarly, if using keystone as your Identity Provider, several
custom attributes will be needed in
/etc/shibboleth/attribute-map.xml
:
Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/> <
And update the REMOTE_USER
variable in
/etc/shibboleth/shibboleth2.xml
if desired:
ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth"
< REMOTE_USER="openstack_user">
Restart the shibd
daemon after making these changes:
# systemctl restart shibd
Exchange Metadata
Once configured, the Service Provider metadata is available to download:
# wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
Upload your Service Provider's metadata to your Identity Provider. This step depends on your Identity Provider choice and is not covered here. If keystone is your Identity Provider you do not need to upload this file.