diff --git a/manifests/federation/mellon.pp b/manifests/federation/mellon.pp
index f6cfc86a9..670319680 100644
--- a/manifests/federation/mellon.pp
+++ b/manifests/federation/mellon.pp
@@ -46,15 +46,28 @@
# accepts latest or specific versions.
# Defaults to present.
#
+# [*enable_websso*]
+# (optional) Wheater or not to enable Web Single Sign-On (SSO)
+# Defaults to false
+#
+# [*trusted_dashboards*]
+# (optional) URL list of trusted horizon servers.
+# This setting ensures that keystone only sends token data back to trusted
+# servers. This is performed as a precaution, specifically to prevent man-in-
+# the-middle (MITM) attacks.
+# Defaults to undef
+#
class keystone::federation::mellon (
$methods,
$idp_name,
$protocol_name,
- $admin_port = false,
- $main_port = true,
- $module_plugin = 'keystone.auth.plugins.mapped.Mapped',
- $template_order = 331,
- $package_ensure = present,
+ $admin_port = false,
+ $main_port = true,
+ $module_plugin = 'keystone.auth.plugins.mapped.Mapped',
+ $template_order = 331,
+ $package_ensure = present,
+ $enable_websso = false,
+ $trusted_dashboards = undef,
) {
include ::apache
@@ -81,6 +94,7 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
validate_bool($admin_port)
validate_bool($main_port)
+ validate_bool($enable_websso)
if( !$admin_port and !$main_port){
fail('No VirtualHost port to configure, please choose at least one.')
@@ -91,6 +105,16 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
'auth/saml2': value => $module_plugin;
}
+ if($enable_websso){
+ if( !trusted_dashboards){
+ fail('No trusted dashboard specified, please add at least one.')
+ }
+ keystone_config {
+ 'mapped/remote_id_attribute': value => 'MELLON_IDP';
+ 'federation/trusted_dashboard': value => join(any2array($trusted_dashboards),',');
+ }
+ }
+
ensure_packages([$::keystone::params::mellon_package_name], {
ensure => $package_ensure,
tag => 'keystone-support-package',
diff --git a/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml b/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml
new file mode 100644
index 000000000..b37f3e456
--- /dev/null
+++ b/releasenotes/notes/mellon-websso-support-8c367e5b732ffbf3.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - Federation mellon support Web Single Sign-On (SSO)
+ When configuring federation using mellon enable setup of Web Single
+ Sign-On.
diff --git a/spec/classes/keystone_federation_mellon_spec.rb b/spec/classes/keystone_federation_mellon_spec.rb
index 05802552c..40bf50772 100644
--- a/spec/classes/keystone_federation_mellon_spec.rb
+++ b/spec/classes/keystone_federation_mellon_spec.rb
@@ -89,6 +89,33 @@ describe 'keystone::federation::mellon' do
:order => params[:template_order],
})}
end
+
+ context 'with websso enabled' do
+ before do
+ params.merge!({
+ :enable_websso => true,
+ :trusted_dashboards => [
+ 'http://acme.horizon.com/auth/websso/',
+ 'http://beta.horizon.com/auth/websso/',
+ ],
+ })
+ end
+
+ it 'should have basic params for mellon in Keystone configuration' do
+ is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
+ is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
+ end
+
+ it 'should have parameters for websso in Keystone configuration' do
+ is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_value('MELLON_IDP')
+ is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/')
+ end
+
+ it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
+ :target => "10-keystone_wsgi_main.conf",
+ :order => params[:template_order],
+ })}
+ end
end
on_supported_os({
diff --git a/templates/mellon.conf.erb b/templates/mellon.conf.erb
index 259bcd824..56f18280b 100644
--- a/templates/mellon.conf.erb
+++ b/templates/mellon.conf.erb
@@ -14,3 +14,16 @@
AuthType "Mellon"
MellonEnable "auth"
+
+<% if @enable_websso -%>
+
+ AuthType Mellon
+ MellonEnable auth
+ Require valid-user
+
+ /protocols/mapped/websso">
+ AuthType Mellon
+ MellonEnable auth
+ Require valid-user
+
+<% end -%>