Browse Source

Add horizon WebSSO support for OpenID Connect

This adds support for configuring horizon for WebSSO when keystone
federation with OpenID Connect is enabled.  This patch just exposes
some new parameters to use puppet-horizon for configuration.  The
sample environment file for OpenID Connect federation is also updated
to use the new parameters.  Some of the sample defaults were updated
to more closely match the URLs that horizon expects.

Change-Id: I7c3ee6b54cc0c9653742c3ce1de60b2851d1fe68
changes/29/627029/2
Nathan Kinder 3 years ago committed by Juan Antonio Osorio Robles
parent
commit
78ee893158
  1. 20
      environments/enable-federation-openidc.yaml
  2. 36
      puppet/services/horizon.yaml
  3. 12
      sample-env-generator/openidc.yaml

20
environments/enable-federation-openidc.yaml

@ -32,7 +32,7 @@ parameter_defaults:
# The url that points to your OpenID Connect provider metadata
# Type: string
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/metadata
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
# Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
# Type: string
@ -44,7 +44,19 @@ parameter_defaults:
# A list of dashboard URLs trusted for single sign-on.
# Type: comma_delimited_list
KeystoneTrustedDashboards: https://dashboard.example.test
KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/
# Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
# Type: json
WebSSOChoices: [['OIDC', 'OpenID Connect']]
# Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
# Type: json
WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}
# The initial authentication choice to select by default
# Type: string
WebSSOInitialChoice: OIDC
# ******************************************************
# Static parameters - these are values that must be
@ -58,6 +70,10 @@ parameter_defaults:
# Type: boolean
KeystoneOpenIdcEnable: True
# Enable support for Web Single Sign-On
# Type: boolean
WebSSOEnable: True
# *********************
# End static parameters
# *********************

36
puppet/services/horizon.yaml

@ -89,10 +89,33 @@ parameters:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
outputs:
role_data:
@ -142,6 +165,19 @@ outputs:
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::customization_module: {get_param: HorizonCustomizationModule}
-
if:
- websso_enabled
-
horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- {}
-
if:
- debug_unset

12
sample-env-generator/openidc.yaml

@ -16,18 +16,26 @@ environments:
- KeystoneOpenIdcCryptoPassphrase
- KeystoneOpenIdcResponseType
- KeystoneOpenIdcRemoteIdAttribute
puppet/services/horizon.yaml:
parameters:
- WebSSOEnable
- WebSSOInitialChoice
- WebSSOChoices
- WebSSOIDPMapping
sample_values:
KeystoneFederationEnable: True
KeystoneOpenIdcEnable: True
WebSSOEnable: True
KeystoneAuthMethods: 'password,token,openid'
KeystoneTrustedDashboards: 'https://dashboard.example.test'
KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/'
KeystoneOpenIdcIdpName: 'myidp'
KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/metadata'
KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration'
KeystoneOpenIdcClientId: 'myclientid'
KeystoneOpenIdcClientSecret: 'myclientsecret'
static:
- KeystoneFederationEnable
- KeystoneOpenIdcEnable
- WebSSOEnable
description: |
This is an example template on how to configure keystone federation for
the OpenID Connect protocol. You must modify the parameters to use

Loading…
Cancel
Save