Make corrections to the mod_auth_mellon federation documentation for consistency and clarity, including: - Remove reference to shibboleth.xml when explaining the remote-id attribute in the main federation configuration instructions, as this does not generalize to all IdPs - Change references from /etc/httpd to /etc/apache2 because the document begins with an apt-get so it follows that the rest of the examples should assume a Debian-like environment - Change references to example IdP 'idp_1' to 'myidp' for consistency with the shibboleth examples - Change references to example protocol 'saml2' to 'mapped' since the saml2 auth plugin was removed[1] - Remove references to wsgi-keystone.conf since devstack just calls it keystone.conf, and enabling this vhost is already covered in the "Running Keystone in HTTPD" section - Remove reference to the ssl mod: it's obviously recommended but not strictly relevant to this topic - Remove instruction to restart apache immediately after enabling auth_mellon, as it would fail while Mellon is not yet fully configured. The document already mentions restarting apache after Mellon is configured. - Add a link to the mellon_create_metadata.sh script, since this does not come as an executable with the mod package. - Add tip about the SP metadata file generated by mod_auth_mellon - Move paragraph about fetching the IdP metadata to the end of the section so that the information about generating and uploading the SP metadata is grouped together [1] https://review.openstack.org/#/c/374508/ Change-Id: I47255db5e762bd2d2901b78afba2b1efa0c0f224
4.8 KiB
- orphan
Setup Mellon
Configure Apache HTTPD for mod_auth_mellon
Follow the steps outlined at: Running Keystone in HTTPD.
You'll also need to install the Apache module mod_auth_mellon. For example:
$ apt-get install libapache2-mod-auth-mellon
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
Add this WSGIScriptAlias directive to your public vhost configuration:
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
Make sure the wsgi-keystone.conf contains a <Location> directive for the Mellon module and a <Location> directive for each identity provider
Location /v3>
<MellonEnable "info"
MellonSPPrivateKeyFile /etc/apache2/mellon/http_keystone.fqdn.key
MellonSPCertFile /etc/apache2/mellon/http_keystone.fqdn.cert
MellonSPMetadataFile /etc/apache2/mellon/http_keystone.fqdn.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth/mellon
MellonIdP "IDP"
</Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth>
AuthType "Mellon"
MellonEnable "auth"
</Location>
Note
* See below for information about how to generate the values for the
MellonSPMetadataFile, etc. directives. *
mapped
is the name of the protocol that you will
configure * myidp
is the name associated with the IdP in Keystone *
You are advised to carefully examine mod_auth_mellon Apache
configuration documentation
Enable the auth_mellon
module, for example:
$ a2enmod auth_mellon
Configuring the Mellon SP Metadata
Mellon provides a script called mellon_create_metadata.sh which generates the values for the config directives MellonSPPrivateKeyFile, MellonSPCertFile, and MellonSPMetadataFile. It is run like this:
$ ./mellon_create_metadata.sh http://keystone.fqdn:5000 \
http://keystone.fqdn:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth/mellon
The first parameter is used as the entity ID, a unique identifier for this Keystone SP. You do not have to use the URL, but it is an easy way to uniquely identify each Keystone SP. The second parameter is the full URL for the endpoint path corresponding to the parameter MellonEndpointPath. Note that the metadata generated by this script includes a signing key but not an encryption key, and your IdP (such as testshib.org) may require an encryption key. Simply change the node <KeyDescriptor use="signing"> to <KeyDescriptor use="encryption"> or add another key to the file. Check your IdP documentation for details.
After generating the keypair and metadata, copy the files to the locations given in the Mellon directives in your apache configs.
Upload the Service Provider's Metadata file which you just generated to your Identity Provider. This is the file used as the value of the MellonSPMetadataFile in the config. The IdP may provide a webpage where you can upload the file, or you may be required to submit the file using wget or curl. Please check your IdP documentation for details.
Fetch your Identity Provider's Metadata file and copy it to the path specified by the MellonIdPMetadataFile directive above. For example:
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
https://idp.fqdn/idp/saml2/metadata
Once you are done, restart the Apache instance that is serving Keystone, for example:
$ service apache2 restart