Federation mellon support Web Single Sign-On (SSO)
When configuring federation using mellon it should be possible to also setup Web Single Sign-On (SSO) according to: http://docs.openstack.org/developer/keystone/federation/websso.html Closes-Bug: #1655620 Change-Id: I340b3a86f6870ea3b9240b4d4f69e33dde004868
This commit is contained in:
parent
dbb4c3c8ce
commit
73d7194a60
|
@ -46,15 +46,28 @@
|
||||||
# accepts latest or specific versions.
|
# accepts latest or specific versions.
|
||||||
# Defaults to present.
|
# Defaults to present.
|
||||||
#
|
#
|
||||||
|
# [*enable_websso*]
|
||||||
|
# (optional) Wheater or not to enable Web Single Sign-On (SSO)
|
||||||
|
# Defaults to false
|
||||||
|
#
|
||||||
|
# [*trusted_dashboards*]
|
||||||
|
# (optional) URL list of trusted horizon servers.
|
||||||
|
# This setting ensures that keystone only sends token data back to trusted
|
||||||
|
# servers. This is performed as a precaution, specifically to prevent man-in-
|
||||||
|
# the-middle (MITM) attacks.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
class keystone::federation::mellon (
|
class keystone::federation::mellon (
|
||||||
$methods,
|
$methods,
|
||||||
$idp_name,
|
$idp_name,
|
||||||
$protocol_name,
|
$protocol_name,
|
||||||
$admin_port = false,
|
$admin_port = false,
|
||||||
$main_port = true,
|
$main_port = true,
|
||||||
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
|
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
|
||||||
$template_order = 331,
|
$template_order = 331,
|
||||||
$package_ensure = present,
|
$package_ensure = present,
|
||||||
|
$enable_websso = false,
|
||||||
|
$trusted_dashboards = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::apache
|
include ::apache
|
||||||
|
@ -81,6 +94,7 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
|
||||||
|
|
||||||
validate_bool($admin_port)
|
validate_bool($admin_port)
|
||||||
validate_bool($main_port)
|
validate_bool($main_port)
|
||||||
|
validate_bool($enable_websso)
|
||||||
|
|
||||||
if( !$admin_port and !$main_port){
|
if( !$admin_port and !$main_port){
|
||||||
fail('No VirtualHost port to configure, please choose at least one.')
|
fail('No VirtualHost port to configure, please choose at least one.')
|
||||||
|
@ -91,6 +105,16 @@ Apache + Mellon SP setups, where a REMOTE_USER env variable is always set, even
|
||||||
'auth/saml2': value => $module_plugin;
|
'auth/saml2': value => $module_plugin;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if($enable_websso){
|
||||||
|
if( !trusted_dashboards){
|
||||||
|
fail('No trusted dashboard specified, please add at least one.')
|
||||||
|
}
|
||||||
|
keystone_config {
|
||||||
|
'mapped/remote_id_attribute': value => 'MELLON_IDP';
|
||||||
|
'federation/trusted_dashboard': value => join(any2array($trusted_dashboards),',');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ensure_packages([$::keystone::params::mellon_package_name], {
|
ensure_packages([$::keystone::params::mellon_package_name], {
|
||||||
ensure => $package_ensure,
|
ensure => $package_ensure,
|
||||||
tag => 'keystone-support-package',
|
tag => 'keystone-support-package',
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- Federation mellon support Web Single Sign-On (SSO)
|
||||||
|
When configuring federation using mellon enable setup of Web Single
|
||||||
|
Sign-On.
|
|
@ -89,6 +89,33 @@ describe 'keystone::federation::mellon' do
|
||||||
:order => params[:template_order],
|
:order => params[:template_order],
|
||||||
})}
|
})}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'with websso enabled' do
|
||||||
|
before do
|
||||||
|
params.merge!({
|
||||||
|
:enable_websso => true,
|
||||||
|
:trusted_dashboards => [
|
||||||
|
'http://acme.horizon.com/auth/websso/',
|
||||||
|
'http://beta.horizon.com/auth/websso/',
|
||||||
|
],
|
||||||
|
})
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should have basic params for mellon in Keystone configuration' do
|
||||||
|
is_expected.to contain_keystone_config('auth/methods').with_value('password, token, saml2')
|
||||||
|
is_expected.to contain_keystone_config('auth/saml2').with_value('keystone.auth.plugins.mapped.Mapped')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should have parameters for websso in Keystone configuration' do
|
||||||
|
is_expected.to contain_keystone_config('mapped/remote_id_attribute').with_value('MELLON_IDP')
|
||||||
|
is_expected.to contain_keystone_config('federation/trusted_dashboard').with_value('http://acme.horizon.com/auth/websso/,http://beta.horizon.com/auth/websso/')
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to contain_concat__fragment('configure_mellon_on_port_5000').with({
|
||||||
|
:target => "10-keystone_wsgi_main.conf",
|
||||||
|
:order => params[:template_order],
|
||||||
|
})}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
on_supported_os({
|
on_supported_os({
|
||||||
|
|
|
@ -14,3 +14,16 @@
|
||||||
AuthType "Mellon"
|
AuthType "Mellon"
|
||||||
MellonEnable "auth"
|
MellonEnable "auth"
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
<% if @enable_websso -%>
|
||||||
|
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
|
||||||
|
AuthType Mellon
|
||||||
|
MellonEnable auth
|
||||||
|
Require valid-user
|
||||||
|
</Location>
|
||||||
|
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::mellon::idp_name']-%>/protocols/mapped/websso">
|
||||||
|
AuthType Mellon
|
||||||
|
MellonEnable auth
|
||||||
|
Require valid-user
|
||||||
|
</Location>
|
||||||
|
<% end -%>
|
||||||
|
|
Loading…
Reference in New Issue