Merge "Federated openid support using auth_mod_openidc"
This commit is contained in:
commit
7275ae85d1
|
@ -329,6 +329,7 @@ keystone_idp: {}
|
||||||
keystone_sp: {}
|
keystone_sp: {}
|
||||||
#keystone_sp:
|
#keystone_sp:
|
||||||
# cert_duration_years: 5
|
# cert_duration_years: 5
|
||||||
|
# apache_mod: shibboleth #or mod_auth_openidc
|
||||||
# trusted_dashboard_list:
|
# trusted_dashboard_list:
|
||||||
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
||||||
# - "https://{{ horizon_server_name }}/auth/websso/"
|
# - "https://{{ horizon_server_name }}/auth/websso/"
|
||||||
|
@ -425,6 +426,34 @@ keystone_sp: {}
|
||||||
# attributes:
|
# attributes:
|
||||||
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
||||||
# id: upn
|
# id: upn
|
||||||
|
#
|
||||||
|
# - name: "keycloak-oidc-idp"
|
||||||
|
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
|
||||||
|
# oidc_client_id: keystone
|
||||||
|
# oidc_client_secret: secret
|
||||||
|
# oidc_crypto_passphrase: random string
|
||||||
|
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
|
||||||
|
# entity_ids:
|
||||||
|
# - 'https://identity-provider/openid-endpoint/'
|
||||||
|
# federated_identities:
|
||||||
|
# - domain: default
|
||||||
|
# project: fedproject
|
||||||
|
# group: fedgroup
|
||||||
|
# role: _member_
|
||||||
|
# protocols:
|
||||||
|
# - name: openid
|
||||||
|
# mapping:
|
||||||
|
# name: keycloak-oidc-idp-openid-mapping
|
||||||
|
# rules:
|
||||||
|
# - remote:
|
||||||
|
# - type: OIDC-email
|
||||||
|
# local:
|
||||||
|
# - group:
|
||||||
|
# name: fedgroup
|
||||||
|
# domain:
|
||||||
|
# name: Default
|
||||||
|
# user:
|
||||||
|
# name: '{0}'
|
||||||
|
|
||||||
keystone_service_in_ldap: false
|
keystone_service_in_ldap: false
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- Added support for using mod_auth_openidc instead of shibboleth as a
|
||||||
|
service provider for supporting users who have a preference to use OIDC
|
||||||
|
for federation. Mod_auth_openidc is the apache module that is recommended
|
||||||
|
in the keystone documentation for implementing openidc.
|
||||||
|
Added a variable to called apache_mod to keystone_sp, if left undefined
|
||||||
|
shibboleth will continue to be installed by default provided keystone_sp is
|
||||||
|
not empty. Mod_auth_openidc will not be installed unless it is spelled
|
||||||
|
correctly, any misspellings will result in a shibboleth install.
|
||||||
|
Note that installing shibboleth on Debian based metal distro deployments
|
||||||
|
may break services that depend on libcurl4, as shib2 requires libcurl3,
|
||||||
|
and they are unable to coexist. This can be resolved when there is a
|
||||||
|
shib3 package available in a future release of Ubuntu/Debian.
|
||||||
|
There is currently no support for simultaneous use of shibboleth2 and
|
||||||
|
mod_auth_openidc.
|
|
@ -32,6 +32,17 @@
|
||||||
owner: "{{ keystone_apache_default_log_owner }}"
|
owner: "{{ keystone_apache_default_log_owner }}"
|
||||||
group: "{{ keystone_apache_default_log_grp }}"
|
group: "{{ keystone_apache_default_log_grp }}"
|
||||||
|
|
||||||
|
- name: Place apache2 config files
|
||||||
|
template:
|
||||||
|
src: "{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
with_items: "{{ keystone_apache_configs }}"
|
||||||
|
notify:
|
||||||
|
- Manage LB
|
||||||
|
- Restart web server
|
||||||
|
|
||||||
## NOTE(cloudnull):
|
## NOTE(cloudnull):
|
||||||
## Module enable/disable process is only functional on Debian and SUSE based systems.
|
## Module enable/disable process is only functional on Debian and SUSE based systems.
|
||||||
- name: Enable/disable apache2 modules
|
- name: Enable/disable apache2 modules
|
||||||
|
@ -58,17 +69,6 @@
|
||||||
- Manage LB
|
- Manage LB
|
||||||
- Restart web server
|
- Restart web server
|
||||||
|
|
||||||
- name: Drop apache2 config files
|
|
||||||
template:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
with_items: "{{ keystone_apache_configs }}"
|
|
||||||
notify:
|
|
||||||
- Manage LB
|
|
||||||
- Restart web server
|
|
||||||
|
|
||||||
- name: Disable default apache site
|
- name: Disable default apache site
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
|
|
|
@ -48,6 +48,21 @@
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- name: Fact for apache module shibboleth to be installed
|
||||||
|
set_fact:
|
||||||
|
keystone_sp_apache_mod_shib:
|
||||||
|
"{{ (keystone_sp != {} and
|
||||||
|
(keystone_sp.apache_mod is undefined or
|
||||||
|
(keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
|
||||||
|
) | ternary('true', 'false') }}"
|
||||||
|
|
||||||
|
- name: Fact for apache module mod_auth_openidc to be installed
|
||||||
|
set_fact:
|
||||||
|
keystone_sp_apache_mod_auth_openidc:
|
||||||
|
"{{ (keystone_sp != {} and
|
||||||
|
keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc')
|
||||||
|
| ternary('true', 'false') }}"
|
||||||
|
|
||||||
- import_tasks: db_setup.yml
|
- import_tasks: db_setup.yml
|
||||||
when:
|
when:
|
||||||
- "keystone_services['keystone-wsgi-public']['group'] in group_names"
|
- "keystone_services['keystone-wsgi-public']['group'] in group_names"
|
||||||
|
@ -123,8 +138,9 @@
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: keystone_federation_sp_setup.yml
|
- import_tasks: keystone_federation_sp_shib_setup.yml
|
||||||
when: keystone_sp != {}
|
when:
|
||||||
|
- keystone_sp_apache_mod_shib
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ Listen {{ keystone_service_port }}
|
||||||
Header set Content-Security-Policy "default-src 'self' https: wss:;"
|
Header set Content-Security-Policy "default-src 'self' https: wss:;"
|
||||||
{% if keystone_sp != {} -%}
|
{% if keystone_sp != {} -%}
|
||||||
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
|
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
|
||||||
{% endif %}
|
{% endif -%}
|
||||||
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
|
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
|
||||||
|
|
||||||
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
||||||
|
@ -33,9 +33,36 @@ Listen {{ keystone_service_port }}
|
||||||
SSLHonorCipherOrder On
|
SSLHonorCipherOrder On
|
||||||
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
||||||
SSLOptions +StdEnvVars +ExportCertData
|
SSLOptions +StdEnvVars +ExportCertData
|
||||||
|
{% endif -%}
|
||||||
|
{% if keystone_sp_apache_mod_auth_openidc -%}
|
||||||
|
OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
|
||||||
|
OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
|
||||||
|
OIDCScope "{{ keystone_sp.trusted_idp_list.0.idc_scope | default('openid email profile') }}"
|
||||||
|
OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
|
||||||
|
OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
|
||||||
|
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
|
||||||
|
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
|
||||||
|
OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
|
||||||
|
{% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
|
||||||
|
OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if keystone_sp != {} -%}
|
<Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
|
||||||
|
Require valid-user
|
||||||
|
AuthType auth-openidc
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location /v3/auth/OS-FEDERATION/websso/openid>
|
||||||
|
Require valid-user
|
||||||
|
AuthType openid-connect
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
|
||||||
|
Require valid-user
|
||||||
|
AuthType openid-connect
|
||||||
|
</Location>
|
||||||
|
{% endif %}
|
||||||
|
{%- if keystone_sp_apache_mod_shib -%}
|
||||||
ShibURLScheme {{ keystone_service_publicuri_proto }}
|
ShibURLScheme {{ keystone_service_publicuri_proto }}
|
||||||
|
|
||||||
<Location /Shibboleth.sso>
|
<Location /Shibboleth.sso>
|
||||||
|
@ -57,19 +84,21 @@ Listen {{ keystone_service_port }}
|
||||||
ShibExportAssertion Off
|
ShibExportAssertion Off
|
||||||
Require valid-user
|
Require valid-user
|
||||||
</LocationMatch>
|
</LocationMatch>
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if keystone_sp != {} -%}
|
||||||
<Directory /var/www/cgi-bin/keystone>
|
<Directory /var/www/cgi-bin/keystone>
|
||||||
Options Indexes FollowSymLinks MultiViews
|
Options Indexes FollowSymLinks MultiViews
|
||||||
AllowOverride All
|
AllowOverride All
|
||||||
Order allow,deny
|
Order allow,deny
|
||||||
allow from all
|
allow from all
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
{% if keystone_sp != {} -%}
|
|
||||||
ProxyPass /Shibboleth.sso !
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if keystone_sp_apache_mod_shib -%}
|
||||||
|
ProxyPass /Shibboleth.sso !
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
|
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
|
||||||
|
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
|
@ -43,11 +43,7 @@ cache_time = {{ keystone_revocation_cache_time }}
|
||||||
|
|
||||||
|
|
||||||
[auth]
|
[auth]
|
||||||
{% if keystone_sp != {} %}
|
methods = {{ keystone_auth_methods }}{% if keystone_sp_apache_mod_shib %},saml2{% endif %}{% if keystone_sp_apache_mod_auth_openidc %},openid{% endif %}
|
||||||
methods = {{ keystone_auth_methods }},saml2
|
|
||||||
{% else %}
|
|
||||||
methods = {{ keystone_auth_methods }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
|
|
||||||
{% if keystone_database_enabled | bool %}
|
{% if keystone_database_enabled | bool %}
|
||||||
|
@ -132,7 +128,11 @@ key_repository = {{ keystone_credential_key_repository }}
|
||||||
|
|
||||||
{% if keystone_sp != {} %}
|
{% if keystone_sp != {} %}
|
||||||
[federation]
|
[federation]
|
||||||
|
{% if keystone_sp_apache_mod_auth_openidc %}
|
||||||
|
remote_id_attribute = HTTP_OIDC_ISS
|
||||||
|
{% elif keystone_sp_apache_mod_shib %}
|
||||||
remote_id_attribute = Shib-Identity-Provider
|
remote_id_attribute = Shib-Identity-Provider
|
||||||
|
{% endif %}
|
||||||
{% if keystone_sp.trusted_dashboard_list is defined %}
|
{% if keystone_sp.trusted_dashboard_list is defined %}
|
||||||
{% for item in keystone_sp.trusted_dashboard_list %}
|
{% for item in keystone_sp.trusted_dashboard_list %}
|
||||||
trusted_dashboard = {{ item }}
|
trusted_dashboard = {{ item }}
|
||||||
|
|
|
@ -57,7 +57,9 @@ keystone_idp_distro_packages:
|
||||||
- xmlsec1
|
- xmlsec1
|
||||||
|
|
||||||
keystone_sp_distro_packages:
|
keystone_sp_distro_packages:
|
||||||
- libapache2-mod-shib2
|
- "{{ keystone_sp_apache_mod_shib | ternary('libcurl3', 'libcurl4') }}"
|
||||||
|
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('libapache2-mod-auth-openidc',
|
||||||
|
'libapache2-mod-shib2') }}"
|
||||||
|
|
||||||
keystone_developer_mode_distro_packages:
|
keystone_developer_mode_distro_packages:
|
||||||
- build-essential
|
- build-essential
|
||||||
|
@ -86,7 +88,9 @@ keystone_apache_modules:
|
||||||
- name: "ssl"
|
- name: "ssl"
|
||||||
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
||||||
- name: "shib2"
|
- name: "shib2"
|
||||||
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
|
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
||||||
|
- name: "auth_openidc"
|
||||||
|
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
|
||||||
- name: "proxy_uwsgi"
|
- name: "proxy_uwsgi"
|
||||||
state: "present"
|
state: "present"
|
||||||
- name: "headers"
|
- name: "headers"
|
||||||
|
|
|
@ -51,7 +51,8 @@ keystone_idp_distro_packages:
|
||||||
- xmlsec1
|
- xmlsec1
|
||||||
|
|
||||||
keystone_sp_distro_packages:
|
keystone_sp_distro_packages:
|
||||||
- shibboleth
|
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('mod_auth_openidc',
|
||||||
|
'shibboleth') }}"
|
||||||
|
|
||||||
keystone_developer_mode_distro_packages:
|
keystone_developer_mode_distro_packages:
|
||||||
- gcc
|
- gcc
|
||||||
|
|
|
@ -52,7 +52,8 @@ keystone_idp_distro_packages:
|
||||||
- xmlsec1
|
- xmlsec1
|
||||||
|
|
||||||
keystone_sp_distro_packages:
|
keystone_sp_distro_packages:
|
||||||
- shibboleth-sp
|
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('apache2-mod_auth_openidc',
|
||||||
|
'shibboleth-sp') }}"
|
||||||
|
|
||||||
keystone_developer_mode_distro_packages:
|
keystone_developer_mode_distro_packages:
|
||||||
- "{{ (ansible_distribution_version is version ('42', '>=')) | ternary('patterns-openSUSE-devel_basis', 'patterns-devel-base-devel_basis') }}"
|
- "{{ (ansible_distribution_version is version ('42', '>=')) | ternary('patterns-openSUSE-devel_basis', 'patterns-devel-base-devel_basis') }}"
|
||||||
|
@ -86,7 +87,9 @@ keystone_apache_modules:
|
||||||
- name: "ssl"
|
- name: "ssl"
|
||||||
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
||||||
- name: "shib2"
|
- name: "shib2"
|
||||||
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
|
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
||||||
|
- name: "auth_openidc"
|
||||||
|
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
|
||||||
- name: "proxy"
|
- name: "proxy"
|
||||||
state: "present"
|
state: "present"
|
||||||
- name: "proxy_http"
|
- name: "proxy_http"
|
||||||
|
|
Loading…
Reference in New Issue