openstack
/
keystone
Code Issues Proposed changes
keystone/doc/source/admin/federation/mellon.rst

5.0 KiB
Raw Blame History

Setting Up Mellon

See keystone-as-sp before proceeding with these Mellon-specific instructions.

Configuring Apache HTTPD for mod_auth_mellon

Note

You are advised to carefully examine the mod_auth_mellon documentation.

Follow the steps outlined at: Keystone install guide for SUSE, RedHat or Ubuntu.

Install the Module

Install the Apache module package. For example, on Ubuntu:

# apt-get install libapache2-mod-auth-mellon

The package and module name will differ between distributions.

Configure mod_auth_mellon

Unlike mod_shib, all of mod_auth_mellon's configuration is done in Apache, not in a separate config file. Set up the shared settings in a single <Location> directive near the top in your keystone VirtualHost file, before your protected endpoints:

<Location /v3>
    MellonEnable "info"
    MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
    MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
    MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
    MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
    MellonEndpointPath /v3/mellon
    MellonIdP "IDP"
</Location>

Configure Protected Endpoints

Configure each protected path to use the Mellon AuthType:

<Location /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth>
   Require valid-user
   AuthType Mellon
   MellonEnable auth
</Location>

Do the same for the WebSSO auth paths if using horizon as a single sign-on frontend:

<Location /v3/auth/OS-FEDERATION/websso/saml2>
   Require valid-user
   AuthType Mellon
   MellonEnable auth
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/samltest/protocols/saml2/websso>
   Require valid-user
   AuthType Mellon
   MellonEnable auth
</Location>

Configure the Mellon Service Provider Metadata

Mellon provides a script called mellon_create_metadata.sh_ which generates the values for the config directives MellonSPPrivateKeyFile, MellonSPCertFile, and MellonSPMetadataFile. Run the script:

$ ./mellon_create_metadata.sh \
https://sp.keystone.example.org/mellon \
http://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth/mellon

The first parameter is used as the entity ID, a URN of your choosing that must uniquely identify the Service Provider to the Identity Provider. The second parameter is the full URL for the endpoint path corresponding to the parameter MellonEndpointPath.

After generating the keypair and metadata, copy the files to the locations given by the MellonSPPrivateKeyFile and MellonSPCertFile settings in your Apache configuration.

Upload the Service Provider's Metadata file which you just generated to your Identity Provider. This is the file used as the value of the MellonSPMetadataFile in the config. The IdP may provide a webpage where you can upload the file, or you may be required to submit the file using wget or curl. Please check your IdP documentation for details.

Exchange Metadata

Fetch your Identity Provider's Metadata file and copy it to the path specified by the MellonIdPMetadataFile setting in your Apache configuration.

$ wget -O /etc/apache2/mellon/idp-metadata.xml https://samltest.id/saml/idp

Remember to reload Apache after finishing configuring Mellon:

# systemctl reload apache2

Continue configuring keystone

Continue configuring keystone