From 78ee893158519961009f5b862ad7c6c9458be11c Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Fri, 21 Dec 2018 19:15:25 -0800 Subject: [PATCH] Add horizon WebSSO support for OpenID Connect This adds support for configuring horizon for WebSSO when keystone federation with OpenID Connect is enabled. This patch just exposes some new parameters to use puppet-horizon for configuration. The sample environment file for OpenID Connect federation is also updated to use the new parameters. Some of the sample defaults were updated to more closely match the URLs that horizon expects. Change-Id: I7c3ee6b54cc0c9653742c3ce1de60b2851d1fe68 --- environments/enable-federation-openidc.yaml | 20 ++++++++++-- puppet/services/horizon.yaml | 36 +++++++++++++++++++++ sample-env-generator/openidc.yaml | 12 +++++-- 3 files changed, 64 insertions(+), 4 deletions(-) diff --git a/environments/enable-federation-openidc.yaml b/environments/enable-federation-openidc.yaml index 480721027e..6b9aa06342 100644 --- a/environments/enable-federation-openidc.yaml +++ b/environments/enable-federation-openidc.yaml @@ -32,7 +32,7 @@ parameter_defaults: # The url that points to your OpenID Connect provider metadata # Type: string - KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/metadata + KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration # Attribute to be used to obtain the entity ID of the Identity Provider from the environment. # Type: string @@ -44,7 +44,19 @@ parameter_defaults: # A list of dashboard URLs trusted for single sign-on. # Type: comma_delimited_list - KeystoneTrustedDashboards: https://dashboard.example.test + KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/ + + # Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message. + # Type: json + WebSSOChoices: [['OIDC', 'OpenID Connect']] + + # Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone. + # Type: json + WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']} + + # The initial authentication choice to select by default + # Type: string + WebSSOInitialChoice: OIDC # ****************************************************** # Static parameters - these are values that must be @@ -58,6 +70,10 @@ parameter_defaults: # Type: boolean KeystoneOpenIdcEnable: True + # Enable support for Web Single Sign-On + # Type: boolean + WebSSOEnable: True + # ********************* # End static parameters # ********************* diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 8db8c328cd..5784415cfb 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -89,10 +89,33 @@ parameters: default: '' description: Horizon has a global overrides mechanism available to perform customizations type: string + WebSSOEnable: + default: false + type: boolean + description: Enable support for Web Single Sign-On + WebSSOInitialChoice: + default: 'OIDC' + type: string + description: The initial authentication choice to select by default + WebSSOChoices: + default: + - ['OIDC', 'OpenID Connect'] + type: json + description: Specifies the list of SSO authentication choices to present. + Each item is a list of an SSO choice identifier and a display + message. + WebSSOIDPMapping: + default: + 'OIDC': ['myidp', 'openid'] + type: json + description: Specifies a mapping from SSO authentication choice to identity + provider and protocol. The identity provider and protocol names + must match the resources defined in keystone. conditions: debug_unset: {equals : [{get_param: Debug}, '']} + websso_enabled: {equals : [{get_param: WebSSOEnable}, True]} outputs: role_data: @@ -142,6 +165,19 @@ outputs: horizon::listen_ssl: {get_param: EnableInternalTLS} horizon::horizon_ca: {get_param: InternalTLSCAFile} horizon::customization_module: {get_param: HorizonCustomizationModule} + - + if: + - websso_enabled + - + horizon::websso_enabled: + get_param: WebSSOEnable + horizon::websso_initial_choice: + get_param: WebSSOInitialChoice + horizon::websso_choices: + get_param: WebSSOChoices + horizon::websso_idp_mapping: + get_param: WebSSOIDPMapping + - {} - if: - debug_unset diff --git a/sample-env-generator/openidc.yaml b/sample-env-generator/openidc.yaml index 20a7d5dff1..5fc5b52673 100644 --- a/sample-env-generator/openidc.yaml +++ b/sample-env-generator/openidc.yaml @@ -16,18 +16,26 @@ environments: - KeystoneOpenIdcCryptoPassphrase - KeystoneOpenIdcResponseType - KeystoneOpenIdcRemoteIdAttribute + puppet/services/horizon.yaml: + parameters: + - WebSSOEnable + - WebSSOInitialChoice + - WebSSOChoices + - WebSSOIDPMapping sample_values: KeystoneFederationEnable: True KeystoneOpenIdcEnable: True + WebSSOEnable: True KeystoneAuthMethods: 'password,token,openid' - KeystoneTrustedDashboards: 'https://dashboard.example.test' + KeystoneTrustedDashboards: 'https://dashboard.example.test/dashboard/auth/websso/' KeystoneOpenIdcIdpName: 'myidp' - KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/metadata' + KeystoneOpenIdcProviderMetadataUrl: 'https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration' KeystoneOpenIdcClientId: 'myclientid' KeystoneOpenIdcClientSecret: 'myclientsecret' static: - KeystoneFederationEnable - KeystoneOpenIdcEnable + - WebSSOEnable description: | This is an example template on how to configure keystone federation for the OpenID Connect protocol. You must modify the parameters to use