openstack/openstack-ansible
Code Issues Proposed changes
Files
d3e20cfecbd66899d1b9355088b846395a963880
openstack-ansible/doc/source/install-guide/configure-federation-idp.rst
Alexandra 71554ca7cf DOCS: Configuration section - cleanup 
As per discussion in the OSA docs summit session, clean up
of installation guide. This fixes typos, minor RST mark up
changes, and passive voice.

This patch also merges a some of the sections into the larger
chapter. This is in an effort to remove multiple smaller
files.

This patch is the first of many to avoid major conflicts.

Change-Id: I38daa515ba47fde7719cd0bd3e0e40c2cd0f39f1
2016-05-12 13:13:44 +00:00

3.4 KiB
Raw Blame History

Home OpenStack-Ansible Installation Guide

Configure Identity service (keystone) as a federated identity provider

The Identity Provider (IdP) configuration for keystone provides a dictionary attribute with the key keystone_idp. The following is a complete example:

keystone_idp:
  certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
  keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
  self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
  regen_cert: false
  idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
  idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
  idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
  service_providers:
    - id: "sp_1"
      auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
      sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
  organization_name: example_company
  organization_display_name: Example Corp.
  organization_url: example.com
  contact_company: example_company
  contact_name: John
  contact_surname: Smith
  contact_email: jsmith@example.com
  contact_telephone: 555-55-5555
  contact_type: technical

The following list is a reference of allowed settings:

  • certfile defines the location and filename of the SSL certificate that the IdP uses to sign assertions. This file must be in a location that is accessible to the keystone system user.
  • keyfile defines the location and filename of the SSL private key that the IdP uses to sign assertions. This file must be in a location that is accessible to the keystone system user.
  • self_signed_cert_subject is the subject in the SSL signing certificate. The common name of the certificate must match the hostname configuration in the service provider(s) for this IdP.
  • regen_cert by default is set to False. When set to True, the next Ansible run replaces the existing signing certificate with a new one. This setting is added as a convenience mechanism to renew a certificate when it is close to its expiration date.
  • idp_entity_id is the entity ID. The service providers use this as a unique identifier for each IdP. <keystone-public-endpoint>/OS-FEDERATION/saml2/idp is the value we recommend for this setting.
  • idp_sso_endpoint is the single sign-on endpoint for this IdP. <keystone-public-endpoint>/OS-FEDERATION/saml2/sso> is the value we recommend for this setting.
  • idp_metadata_path is the location and filename where the metadata for this IdP is cached. The keystone system user must have access to this location.
  • service_providers is a list of the known service providers (SP) that use the keystone instance as identity provider. For each SP, provide three values: id as a unique identifier, auth_url as the authentication endpoint of the SP, and sp_url endpoint for posting SAML2 assertions.
  • organization_name, organization_display_name, organization_url, contact_company, contact_name, contact_surname, contact_email, contact_telephone and contact_type are settings that describe the identity provider. These settings are all optional.
View Git Blame Copy Permalink