Federation mellon support Web Single Sign-On (SSO)
When configuring federation using mellon it should be possible to also setup Web Single Sign-On (SSO) according to: http://docs.openstack.org/developer/keystone/federation/websso.html Closes-Bug: #1655620 Change-Id: I340b3a86f6870ea3b9240b4d4f69e33dde004868
This commit is contained in:
parent
dbb4c3c8ce
commit
73d7194a60
|
@ -46,15 +46,28 @@
|
|||
# accepts latest or specific versions.
|
||||
# Defaults to present.
|
||||
#
|
||||
# [*enable_websso*]
|
||||
# (optional) Wheater or not to enable Web Single Sign-On (SSO)
|
||||
# Defaults to false
|
||||
#
|
||||
# [*trusted_dashboards*]
|
||||
# (optional) URL list of trusted horizon servers.
|
||||
# This setting ensures that keystone only sends token data back to trusted
|
||||
# servers. This is performed as a precaution, specifically to prevent man-in-
|
||||
# the-middle (MITM) attacks.
|
||||
# Defaults to undef
|
||||
#
|
||||
class keystone::federation::mellon (
|
||||
$methods,
|
||||
$idp_name,
|
||||
$protocol_name,
|
||||
$admin_port = false,
|
||||
$main_port = true,
|
||||
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
|
||||
$template_order = 331,
|
||||
$package_ensure = present,
|
||||
$admin_port = false,
|
||||
$main_port = true,
|
||||
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
|
||||
$template_order = 331,
|
||||
$package_ensure = present,
|
||||
$enable_websso = false,
|
||||
$trusted_dashboards = undef,
|
||||
) {
|
||||
|
||||
include ::apache
|
||||
|
@ -81,6 +94,7 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
|
|||
|
||||
validate_bool($admin_port)
|
||||
validate_bool($main_port)
|
||||
validate_bool($enable_websso)
|
||||
|
||||
if( !$admin_port and !$main_port){
|
||||
fail('No VirtualHost port to configure, please choose at least one.')
|
||||
|
@ -91,6 +105,16 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
|
|||
'auth/saml2': value => $module_plugin;
|
||||
}
|
||||
|
||||
if($enable_websso){
|
||||
if( !trusted_dashboards){
|
||||
fail('No trusted dashboard specified, please add at least one.')
|
||||
}
|
||||
keystone_config {
|
||||
'mapped/remote_id_attribute': value => 'MELLON_IDP';
|
||||
'federation/trusted_dashboard': value => join(any2array($trusted_dashboards),',');
|
||||
}
|
||||
}
|
||||
|
||||
ensure_packages([$::keystone::params::mellon_package_name], {
|
||||
ensure => $package_ensure,
|
||||
tag => 'keystone-support-package',
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- Federation mellon support Web Single Sign-On (SSO)
|
||||
When configuring federation using mellon enable setup of Web Single
|
||||
Sign-On.
|
|
@ -89,6 +89,33 @@ describe 'keystone::federation::mellon' do
|
|||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
|
||||
context 'with websso enabled' do
|
||||
before do
|
||||
params.merge!({
|
||||
:enable_websso => true,
|
||||
:trusted_dashboards => [
|
||||
'http://acme.horizon.com/auth/websso/',
|
||||
'http://beta.horizon.com/auth/websso/',
|
||||
],
|
||||
})
|
||||
end
|
||||
|
||||
it 'should have basic params for mellon in Keystone configuration' do
|
||||
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
|
||||
is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
|
||||
end
|
||||
|
||||
it 'should have parameters for websso in Keystone configuration' do
|
||||
is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_value('MELLON_IDP')
|
||||
is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/')
|
||||
end
|
||||
|
||||
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
|
||||
:target => "10-keystone_wsgi_main.conf",
|
||||
:order => params[:template_order],
|
||||
})}
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
|
|
|
@ -14,3 +14,16 @@
|
|||
AuthType "Mellon"
|
||||
MellonEnable "auth"
|
||||
</Location>
|
||||
|
||||
<% if @enable_websso -%>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::mellon::idp_name']-%>/protocols/mapped/websso">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
</Location>
|
||||
<% end -%>
|
||||
|
|
Loading…
Reference in New Issue