67490080db
The keystone federation configuration documentation[1] says that the Contact options are "advisable" to set, but not strictly necessary. However, without this patch, the keystone SAML IdP will generate metadata where one of its tags is malformed: <ns0:SurName /> On a Shibboleth-based keystone SP, shibd will successfully start but fail to retrieve metadata from the IdP, with the message: ERROR OpenSAML.MetadataProvider.XML : metadata instance failed manual validation checking: SurName must have TextContent. Attempting to exchange the SAML assertion will then fail with a 500 error. While it is advisable for the user to set this surname value, it should not be strictly necessary, especially in a developer or proof-of-concept environment. This patch gives the config option a default value, similar to the other [saml]/idp_contact_* default values. [1] http://docs.openstack.org/developer/keystone/configure_federation.html#configuration-options Change-Id: I2742f6b4747f1dc5f5593afae1cfde4e494b7848
194 lines
5.6 KiB
Python
194 lines
5.6 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_config import cfg
|
|
|
|
from keystone.conf import constants
|
|
from keystone.conf import utils
|
|
|
|
|
|
assertion_expiration_time = cfg.IntOpt(
|
|
'assertion_expiration_time',
|
|
default=3600,
|
|
help=utils.fmt("""
|
|
Determines the lifetime for any SAML assertions generated by keystone, using
|
|
`NotOnOrAfter` attributes.
|
|
"""))
|
|
|
|
xmlsec1_binary = cfg.StrOpt(
|
|
'xmlsec1_binary',
|
|
default='xmlsec1',
|
|
help=utils.fmt("""
|
|
Name of, or absolute path to, the binary to be used for XML signing. Although
|
|
only the XML Security Library (`xmlsec1`) is supported, it may have a
|
|
non-standard name or path on your system. If keystone cannot find the binary
|
|
itself, you may need to install the appropriate package, use this option to
|
|
specify an absolute path, or adjust keystone's PATH environment variable.
|
|
"""))
|
|
|
|
certfile = cfg.StrOpt(
|
|
'certfile',
|
|
default=constants._CERTFILE,
|
|
help=utils.fmt("""
|
|
Absolute path to the public certificate file to use for SAML signing. The value
|
|
cannot contain a comma (`,`).
|
|
"""))
|
|
|
|
keyfile = cfg.StrOpt(
|
|
'keyfile',
|
|
default=constants._KEYFILE,
|
|
help=utils.fmt("""
|
|
Absolute path to the private key file to use for SAML signing. The value cannot
|
|
contain a comma (`,`).
|
|
"""))
|
|
|
|
idp_entity_id = cfg.URIOpt(
|
|
'idp_entity_id',
|
|
max_length=1024,
|
|
help=utils.fmt("""
|
|
This is the unique entity identifier of the identity provider (keystone) to use
|
|
when generating SAML assertions. This value is required to generate identity
|
|
provider metadata and must be a URI (a URL is recommended). For example:
|
|
`https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`.
|
|
"""))
|
|
|
|
idp_sso_endpoint = cfg.URIOpt(
|
|
'idp_sso_endpoint',
|
|
help=utils.fmt("""
|
|
This is the single sign-on (SSO) service location of the identity provider
|
|
which accepts HTTP POST requests. A value is required to generate identity
|
|
provider metadata. For example:
|
|
`https://keystone.example.com/v3/OS-FEDERATION/saml2/sso`.
|
|
"""))
|
|
|
|
idp_lang = cfg.StrOpt(
|
|
'idp_lang',
|
|
default='en',
|
|
help=utils.fmt("""
|
|
This is the language used by the identity provider's organization.
|
|
"""))
|
|
|
|
idp_organization_name = cfg.StrOpt(
|
|
'idp_organization_name',
|
|
default='SAML Identity Provider',
|
|
help=utils.fmt("""
|
|
This is the name of the identity provider's organization.
|
|
"""))
|
|
|
|
idp_organization_display_name = cfg.StrOpt(
|
|
'idp_organization_display_name',
|
|
default='OpenStack SAML Identity Provider',
|
|
help=utils.fmt("""
|
|
This is the name of the identity provider's organization to be displayed.
|
|
"""))
|
|
|
|
idp_organization_url = cfg.URIOpt(
|
|
'idp_organization_url',
|
|
default='https://example.com/',
|
|
help=utils.fmt("""
|
|
This is the URL of the identity provider's organization. The URL referenced
|
|
here should be useful to humans.
|
|
"""))
|
|
|
|
idp_contact_company = cfg.StrOpt(
|
|
'idp_contact_company',
|
|
default='Example, Inc.',
|
|
help=utils.fmt("""
|
|
This is the company name of the identity provider's contact person.
|
|
"""))
|
|
|
|
idp_contact_name = cfg.StrOpt(
|
|
'idp_contact_name',
|
|
default='SAML Identity Provider Support',
|
|
help=utils.fmt("""
|
|
This is the given name of the identity provider's contact person.
|
|
"""))
|
|
|
|
idp_contact_surname = cfg.StrOpt(
|
|
'idp_contact_surname',
|
|
default='Support',
|
|
help=utils.fmt("""
|
|
This is the surname of the identity provider's contact person.
|
|
"""))
|
|
|
|
idp_contact_email = cfg.StrOpt(
|
|
'idp_contact_email',
|
|
default='support@example.com',
|
|
help=utils.fmt("""
|
|
This is the email address of the identity provider's contact person.
|
|
"""))
|
|
|
|
idp_contact_telephone = cfg.StrOpt(
|
|
'idp_contact_telephone',
|
|
default='+1 800 555 0100',
|
|
help=utils.fmt("""
|
|
This is the telephone number of the identity provider's contact person.
|
|
"""))
|
|
|
|
idp_contact_type = cfg.StrOpt(
|
|
'idp_contact_type',
|
|
default='other',
|
|
choices=['technical', 'support', 'administrative', 'billing', 'other'],
|
|
help=utils.fmt("""
|
|
This is the type of contact that best describes the identity provider's contact
|
|
person.
|
|
"""))
|
|
|
|
idp_metadata_path = cfg.StrOpt(
|
|
'idp_metadata_path',
|
|
default='/etc/keystone/saml2_idp_metadata.xml',
|
|
help=utils.fmt("""
|
|
Absolute path to the identity provider metadata file. This file should be
|
|
generated with the `keystone-manage saml_idp_metadata` command. There is
|
|
typically no reason to change this value.
|
|
"""))
|
|
|
|
relay_state_prefix = cfg.StrOpt(
|
|
'relay_state_prefix',
|
|
default='ss:mem:',
|
|
help=utils.fmt("""
|
|
The prefix of the RelayState SAML attribute to use when generating enhanced
|
|
client and proxy (ECP) assertions. In a typical deployment, there is no reason
|
|
to change this value.
|
|
"""))
|
|
|
|
|
|
GROUP_NAME = __name__.split('.')[-1]
|
|
ALL_OPTS = [
|
|
assertion_expiration_time,
|
|
xmlsec1_binary,
|
|
certfile,
|
|
keyfile,
|
|
idp_entity_id,
|
|
idp_sso_endpoint,
|
|
idp_lang,
|
|
idp_organization_name,
|
|
idp_organization_display_name,
|
|
idp_organization_url,
|
|
idp_contact_company,
|
|
idp_contact_name,
|
|
idp_contact_surname,
|
|
idp_contact_email,
|
|
idp_contact_telephone,
|
|
idp_contact_type,
|
|
idp_metadata_path,
|
|
relay_state_prefix,
|
|
]
|
|
|
|
|
|
def register_opts(conf):
|
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
|
|
|
|
|
def list_opts():
|
|
return {GROUP_NAME: ALL_OPTS}
|