17ac571e7a
This patch adds the ability to configure Keystone as a Service Provider (SP) for a Federated Identity Provider (IdP). * New variables to configure Keystone as a service provider are now supported under a root `keystone_sp` variable. Example configurations can be seen in Keystone's defaults file. This configuration includes the list of identity providers and trusted dashboards. (At this time only one identity provider is supported). * Identity provider configuration includes the remote-to-local user mapping and the list of remote attributes the SP can obtain from the IdP. * Shibboleth is installed and configured in the Keystone containers when SP configuration is present. * Horizon is configured for SSO login DocImpact UpgradeImpact Implements: blueprint keystone-federation Change-Id: I78b3d740434ea4b3ca0bd9f144e4a07026be23c6 Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
64 lines
2.8 KiB
Django/Jinja
64 lines
2.8 KiB
Django/Jinja
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
|
|
<!--
|
|
The below default attributes are standard for a Shibboleth
|
|
Identity Provider and will likely work with many other
|
|
standard SAML2 Identity Providers.
|
|
-->
|
|
|
|
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
|
|
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
|
|
</Attribute>
|
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
|
|
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
|
|
</Attribute>
|
|
|
|
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
|
|
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
|
|
</Attribute>
|
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
|
|
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
|
|
</Attribute>
|
|
|
|
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
|
|
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
|
|
</Attribute>
|
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
|
|
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
|
|
</Attribute>
|
|
|
|
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
|
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
|
|
|
|
<!-- A persistent id attribute that supports personalized anonymous access. -->
|
|
|
|
<Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID" id="targeted-id">
|
|
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
|
|
</Attribute>
|
|
|
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
|
|
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
|
|
</Attribute>
|
|
|
|
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
|
|
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
|
|
</Attribute>
|
|
|
|
<!--
|
|
The following attributes have been configured through Ansible.
|
|
-->
|
|
{% for idp in keystone_sp.trusted_idp_list %}
|
|
{% if idp.protocols is defined %}
|
|
{% for protocol in idp.protocols %}
|
|
{% if protocol.name == "saml2" and protocol.attributes is defined %}
|
|
{% for attr in protocol.attributes %}
|
|
<Attribute{% for k in attr %} {{ k }}="{{ attr[k] }}"{% endfor %}/>
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
</Attributes>
|