openstack
/
keystone
Code Issues Proposed changes
keystone/doc/source/admin/federation/openidc.rst

4.1 KiB
Raw Blame History

Setting Up OpenID Connect

See keystone-as-sp before proceeding with these OpenIDC-specific instructions.

These examples use Google as an OpenID Connect Identity Provider. The Service Provider must be added to the Identity Provider in the Google API console.

Configuring Apache HTTPD for mod_auth_openidc

Note

You are advised to carefully examine the mod_auth_openidc documentation.

Install the Module

Install the Apache module package. For example, on Ubuntu:

# apt-get install libapache2-mod-auth-openidc

The package and module name will differ between distributions.

Configure mod_auth_openidc

In the Apache configuration for the keystone VirtualHost, set the following OIDC options:

OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase <random string>
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth

OIDCScope is the list of attributes that the user will authorize the Identity Provider to send to the Service Provider. OIDCClientID and OIDCClientSecret must be generated and obtained from the Identity Provider. OIDCProviderMetadataURL is a URL from which the Service Provider will fetch the Identity Provider's metadata. OIDCRedirectURI is a vanity URL that must point to a protected path that does not have any content, such as an extension of the protected federated auth path.

Note

If using a mod_wsgi version less than 4.3.0, then the OIDCClaimPrefix must be specified to have only alphanumerics or a dash ("-"). This is because mod_wsgi blocks headers that do not fit this criteria.

Configure Protected Endpoints

Configure each protected path to use the openid-connect AuthType:

<Location /v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth>
    Require valid-user
    AuthType openid-connect
</Location>

Do the same for the WebSSO auth paths if using horizon:

<Location /v3/auth/OS-FEDERATION/websso/openid>
    Require valid-user
    AuthType openid-connect
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/google/protocols/openid/websso>
    Require valid-user
    AuthType openid-connect
</Location>

Remember to reload Apache after altering the VirtualHost:

# systemctl reload apache2

Note

When creating mapping rules, in keystone, note that the 'remote' attributes will be prefixed, with HTTP_, so for instance, if you set OIDCClaimPrefix to OIDC-, then a typical remote value to check for is: HTTP_OIDC_ISS.

Continue configuring keystone

Continue configuring keystone