openstack-ansible/doc/source/install-guide/configure-federation-sp.rst

Home OpenStack-Ansible Installation Guide

Configure Identity Service (keystone) as a federated service provider

The following settings must be set to configure a service provider (SP):

1. keystone_public_endpoint automatically set by default to the public endpoint's URI. This ensures that the redirections performed and token references all refer to the public endpoint which is accessible to clients and the trusted IDP.

2. horizon_keystone_endpoint automatically set by default to the public v3 API endpoint URL for keystone. Web-based single sign-on for horizon requires the use of the keystone v3 API. The value for this must use the same DNS name or IP address which is registered in the SSL certificate used for the endpoint.

3. If ADFS is to be used as the IdP, the keystone endpoint is required to have an HTTPS public endpoint. The endpoint may either be provided by keystone itself, or by an SSL offloading load balancer.

4. keystone_service_publicuri_proto must be set to https in order to ensure that the public endpoint is registered with https in the URL, to ensure that keystone publishes https in its references and to ensure that Shibboleth is configured to know that it should expect SSL URL's in the assertions (otherwise it will invalidate the assertions).

5. ADFS requires that a trusted SP have a trusted certificate that is not self-signed. This means that the certificate used for keystone must either be signed by a public CA, or an enterprise CA.

6. When using SSL for the keystone endpoint, the endpoint URI and the certificate must match. For example, if the certificate does not have the IP address of the endpoint, then the endpoint must be published with the appropriate name registered on the certificate. When using a DNS name for the keystone endpoint, both keystone_public_endpoint and horizon_keystone_endpoint must be set to use the DNS name.

7. horizon_endpoint_type must be set to publicURL to ensure that Horizon makes use of the public endpoint for all its references and queries.

8. keystone_sp is a dictionary attribute which contains various settings that describe both the SP and the IDP's it trusts. For example:

   keystone_sp:
     cert_duration_years: 5
     trusted_dashboard_list:
       - "https://{{ external_lb_vip_address }}/auth/websso/"
     trusted_idp_list:
       - name: 'testshib-idp'
         entity_ids:
           - 'https://idp.testshib.org/idp/shibboleth'
         metadata_uri: 'http://www.testshib.org/metadata/testshib-providers.xml'
         metadata_file: 'metadata-testshib-idp.xml'
         metadata_reload: 1800
         federated_identities:
           - domain: Default
             project: fedproject
             group: fedgroup
             role: _member_
         protocols:
           - name: saml2
             mapping:
               name: testshib-idp-mapping
               rules:
                 - remote:
                     - type: eppn
                   local:
                     - group:
                         name: fedgroup
                         domain:
                           name: Default
                     - user:
                         name: '{0}'

9. cert_duration_years designates the valid duration for the SP's signing certificate (for example, /etc/shibboleth/sp-key.pem).

10. trusted_dashboard_list designates the list of trusted URLs from which keystone will accept redirects for Web Single-Sign. This list should contain all URLs that horizon is presented on, suffixed by /auth/websso/ which is the path for horizon's WebSSO component.

11. trusted_idp_list is a dictionary attribute containing the list of settings which pertain to each trusted IdP for the SP.

12. trusted_idp_list.name is the name by which the IDP is known, is configured in keystone and is listed in horizon's login selection.

13. entity_ids is a list of reference entity IDs which specify where the login request to the SP will be redirected to in order to authenticate to the IdP.

14. metadata_uri is the location of the IdP's metadata which provides the SP with the signing key and all the IdP's supported endpoints.

15. metadata_file is the file name of the local cached version of the metadata which will be stored in /var/cache/shibboleth/.

16. metadata_reload is the number of seconds between metadata refresh polls.

17. federated_identities is a list of domain, project, group and users which are to be mapped. See Configure Identity Service (keystone) Domain-Project-Group-Role mappings for more information.

18. protocols is a list of protocols supported for the IdP and the set of mappings and attributes for each protocol. Only the protocol with the name saml2 is supported at this time.

19. mapping is the local to remote mapping configuration for federated users. For more information, see Configure Identity Service (keystone) Domain-Project-Group-Role mappings.

---