Add horizon WebSSO support for OpenID Connect

This adds support for configuring horizon for WebSSO when keystone federation with OpenID Connect is enabled. This patch just exposes some new parameters to use puppet-horizon for configuration. The sample environment file for OpenID Connect federation is also updated to use the new parameters. Some of the sample defaults were updated to more closely match the URLs that horizon expects. Change-Id: I7c3ee6b54cc0c9653742c3ce1de60b2851d1fe68
2018-12-21 19:15:25 -08:00 · 2018-12-21 19:15:25 -08:00 · 78ee893158
parent 5dc292d198
commit 78ee893158
3 changed files with 64 additions and 4 deletions
--- a/environments/enable-federation-openidc.yaml
+++ b/environments/enable-federation-openidc.yaml
@ -32,7 +32,7 @@ parameter_defaults:

  # The url that points to your OpenID Connect provider metadata
  # Type: string
-  KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/metadata
+  KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration

  # Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
  # Type: string
@ -44,7 +44,19 @@ parameter_defaults:

  # A list of dashboard URLs trusted for single sign-on.
  # Type: comma_delimited_list
-  KeystoneTrustedDashboards: https://dashboard.example.test
+  KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/
+
+  # Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
+  # Type: json
+  WebSSOChoices: [['OIDC', 'OpenID Connect']]
+
+  # Specifies a mapping from SSO authentication choice to identity provider and protocol.  The identity provider and protocol names must match the resources defined in keystone.
+  # Type: json
+  WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}
+
+  # The initial authentication choice to select by default
+  # Type: string
+  WebSSOInitialChoice: OIDC

  # ******************************************************
  # Static parameters - these are values that must be
@ -58,6 +70,10 @@ parameter_defaults:
  # Type: boolean
  KeystoneOpenIdcEnable: True

+  # Enable support for Web Single Sign-On
+  # Type: boolean
+  WebSSOEnable: True
+
  # *********************
  # End static parameters
  # *********************
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@ -89,10 +89,33 @@ parameters:
    default: ''
    description: Horizon has a global overrides mechanism available to perform customizations
    type: string
+  WebSSOEnable:
+    default: false
+    type: boolean
+    description: Enable support for Web Single Sign-On
+  WebSSOInitialChoice:
+    default: 'OIDC'
+    type: string
+    description: The initial authentication choice to select by default
+  WebSSOChoices:
+    default:
+    - ['OIDC', 'OpenID Connect']
+    type: json
+    description: Specifies the list of SSO authentication choices to present.
+                 Each item is a list of an SSO choice identifier and a display
+                 message.
+  WebSSOIDPMapping:
+    default:
+      'OIDC': ['myidp', 'openid']
+    type: json
+    description: Specifies a mapping from SSO authentication choice to identity
+                 provider and protocol.  The identity provider and protocol names
+                 must match the resources defined in keystone.

 conditions:

  debug_unset: {equals : [{get_param: Debug}, '']}
+  websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}

 outputs:
  role_data:
@ -142,6 +165,19 @@ outputs:
          horizon::listen_ssl: {get_param: EnableInternalTLS}
          horizon::horizon_ca: {get_param: InternalTLSCAFile}
          horizon::customization_module: {get_param: HorizonCustomizationModule}
+        -
+          if:
+          - websso_enabled
+          -
+              horizon::websso_enabled:
+                get_param: WebSSOEnable
+              horizon::websso_initial_choice:
+                get_param: WebSSOInitialChoice
+              horizon::websso_choices:
+                get_param: WebSSOChoices
+              horizon::websso_idp_mapping:
+                get_param: WebSSOIDPMapping
+          - {}
        -
          if:
          - debug_unset
--- a/sample-env-generator/openidc.yaml
+++ b/sample-env-generator/openidc.yaml
@ -16,18 +16,26 @@ environments:
          - KeystoneOpenIdcCryptoPassphrase
          - KeystoneOpenIdcResponseType
          - KeystoneOpenIdcRemoteIdAttribute
+      puppet/services/horizon.yaml:
+        parameters:
+          - WebSSOEnable
+          - WebSSOInitialChoice
+          - WebSSOChoices
+          - WebSSOIDPMapping
    sample_values:
      KeystoneFederationEnable: True
      KeystoneOpenIdcEnable: True
+      WebSSOEnable: True
      KeystoneAuthMethods: 'password,token,openid'
-      KeystoneTrustedDashboards: 'https://dashboard.example.test'
+      KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/'
      KeystoneOpenIdcIdpName: 'myidp'
-      KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/metadata'
+      KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration'
      KeystoneOpenIdcClientId: 'myclientid'
      KeystoneOpenIdcClientSecret: 'myclientsecret'
    static:
      - KeystoneFederationEnable
      - KeystoneOpenIdcEnable
+      - WebSSOEnable
    description: |
      This is an example template on how to configure keystone federation for
      the OpenID Connect protocol.  You must modify the parameters to use