Merge "Federated openid support using auth_mod_openidc"
This commit is contained in:
commit
7275ae85d1
|
@ -329,6 +329,7 @@ keystone_idp: {}
|
|||
keystone_sp: {}
|
||||
#keystone_sp:
|
||||
# cert_duration_years: 5
|
||||
# apache_mod: shibboleth #or mod_auth_openidc
|
||||
# trusted_dashboard_list:
|
||||
# - "https://{{ external_lb_vip_address }}/auth/websso/"
|
||||
# - "https://{{ horizon_server_name }}/auth/websso/"
|
||||
|
@ -425,6 +426,34 @@ keystone_sp: {}
|
|||
# attributes:
|
||||
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
||||
# id: upn
|
||||
#
|
||||
# - name: "keycloak-oidc-idp"
|
||||
# oidc_provider_metadata_url: https://identity-provider/.well-known/openid-configuration
|
||||
# oidc_client_id: keystone
|
||||
# oidc_client_secret: secret
|
||||
# oidc_crypto_passphrase: random string
|
||||
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
|
||||
# entity_ids:
|
||||
# - 'https://identity-provider/openid-endpoint/'
|
||||
# federated_identities:
|
||||
# - domain: default
|
||||
# project: fedproject
|
||||
# group: fedgroup
|
||||
# role: _member_
|
||||
# protocols:
|
||||
# - name: openid
|
||||
# mapping:
|
||||
# name: keycloak-oidc-idp-openid-mapping
|
||||
# rules:
|
||||
# - remote:
|
||||
# - type: OIDC-email
|
||||
# local:
|
||||
# - group:
|
||||
# name: fedgroup
|
||||
# domain:
|
||||
# name: Default
|
||||
# user:
|
||||
# name: '{0}'
|
||||
|
||||
keystone_service_in_ldap: false
|
||||
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
features:
|
||||
- Added support for using mod_auth_openidc instead of shibboleth as a
|
||||
service provider for supporting users who have a preference to use OIDC
|
||||
for federation. Mod_auth_openidc is the apache module that is recommended
|
||||
in the keystone documentation for implementing openidc.
|
||||
Added a variable to called apache_mod to keystone_sp, if left undefined
|
||||
shibboleth will continue to be installed by default provided keystone_sp is
|
||||
not empty. Mod_auth_openidc will not be installed unless it is spelled
|
||||
correctly, any misspellings will result in a shibboleth install.
|
||||
Note that installing shibboleth on Debian based metal distro deployments
|
||||
may break services that depend on libcurl4, as shib2 requires libcurl3,
|
||||
and they are unable to coexist. This can be resolved when there is a
|
||||
shib3 package available in a future release of Ubuntu/Debian.
|
||||
There is currently no support for simultaneous use of shibboleth2 and
|
||||
mod_auth_openidc.
|
|
@ -32,6 +32,17 @@
|
|||
owner: "{{ keystone_apache_default_log_owner }}"
|
||||
group: "{{ keystone_apache_default_log_grp }}"
|
||||
|
||||
- name: Place apache2 config files
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
with_items: "{{ keystone_apache_configs }}"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart web server
|
||||
|
||||
## NOTE(cloudnull):
|
||||
## Module enable/disable process is only functional on Debian and SUSE based systems.
|
||||
- name: Enable/disable apache2 modules
|
||||
|
@ -58,17 +69,6 @@
|
|||
- Manage LB
|
||||
- Restart web server
|
||||
|
||||
- name: Drop apache2 config files
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
with_items: "{{ keystone_apache_configs }}"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart web server
|
||||
|
||||
- name: Disable default apache site
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
|
|
|
@ -48,6 +48,21 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: Fact for apache module shibboleth to be installed
|
||||
set_fact:
|
||||
keystone_sp_apache_mod_shib:
|
||||
"{{ (keystone_sp != {} and
|
||||
(keystone_sp.apache_mod is undefined or
|
||||
(keystone_sp.apache_mod is defined and keystone_sp.apache_mod != 'mod_auth_openidc'))
|
||||
) | ternary('true', 'false') }}"
|
||||
|
||||
- name: Fact for apache module mod_auth_openidc to be installed
|
||||
set_fact:
|
||||
keystone_sp_apache_mod_auth_openidc:
|
||||
"{{ (keystone_sp != {} and
|
||||
keystone_sp.apache_mod is defined and keystone_sp.apache_mod == 'mod_auth_openidc')
|
||||
| ternary('true', 'false') }}"
|
||||
|
||||
- import_tasks: db_setup.yml
|
||||
when:
|
||||
- "keystone_services['keystone-wsgi-public']['group'] in group_names"
|
||||
|
@ -123,8 +138,9 @@
|
|||
tags:
|
||||
- keystone-config
|
||||
|
||||
- import_tasks: keystone_federation_sp_setup.yml
|
||||
when: keystone_sp != {}
|
||||
- import_tasks: keystone_federation_sp_shib_setup.yml
|
||||
when:
|
||||
- keystone_sp_apache_mod_shib
|
||||
tags:
|
||||
- keystone-config
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ Listen {{ keystone_service_port }}
|
|||
Header set Content-Security-Policy "default-src 'self' https: wss:;"
|
||||
{% if keystone_sp != {} -%}
|
||||
Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
|
||||
{% endif %}
|
||||
{% endif -%}
|
||||
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
|
||||
|
||||
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
||||
|
@ -33,9 +33,36 @@ Listen {{ keystone_service_port }}
|
|||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
||||
SSLOptions +StdEnvVars +ExportCertData
|
||||
{% endif -%}
|
||||
{% if keystone_sp_apache_mod_auth_openidc -%}
|
||||
OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
|
||||
OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
|
||||
OIDCScope "{{ keystone_sp.trusted_idp_list.0.idc_scope | default('openid email profile') }}"
|
||||
OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
|
||||
OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
|
||||
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
|
||||
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
|
||||
OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
|
||||
{% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
|
||||
OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
|
||||
{% endif %}
|
||||
|
||||
{% if keystone_sp != {} -%}
|
||||
<Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
|
||||
Require valid-user
|
||||
AuthType auth-openidc
|
||||
</Location>
|
||||
|
||||
<Location /v3/auth/OS-FEDERATION/websso/openid>
|
||||
Require valid-user
|
||||
AuthType openid-connect
|
||||
</Location>
|
||||
|
||||
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
|
||||
Require valid-user
|
||||
AuthType openid-connect
|
||||
</Location>
|
||||
{% endif %}
|
||||
{%- if keystone_sp_apache_mod_shib -%}
|
||||
ShibURLScheme {{ keystone_service_publicuri_proto }}
|
||||
|
||||
<Location /Shibboleth.sso>
|
||||
|
@ -57,19 +84,21 @@ Listen {{ keystone_service_port }}
|
|||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if keystone_sp != {} -%}
|
||||
<Directory /var/www/cgi-bin/keystone>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
AllowOverride All
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
|
||||
{% if keystone_sp != {} -%}
|
||||
ProxyPass /Shibboleth.sso !
|
||||
{% endif %}
|
||||
|
||||
{% if keystone_sp_apache_mod_shib -%}
|
||||
ProxyPass /Shibboleth.sso !
|
||||
{% endif -%}
|
||||
|
||||
ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
|
||||
|
||||
</VirtualHost>
|
||||
|
|
|
@ -43,11 +43,7 @@ cache_time = {{ keystone_revocation_cache_time }}
|
|||
|
||||
|
||||
[auth]
|
||||
{% if keystone_sp != {} %}
|
||||
methods = {{ keystone_auth_methods }},saml2
|
||||
{% else %}
|
||||
methods = {{ keystone_auth_methods }}
|
||||
{% endif %}
|
||||
methods = {{ keystone_auth_methods }}{% if keystone_sp_apache_mod_shib %},saml2{% endif %}{% if keystone_sp_apache_mod_auth_openidc %},openid{% endif %}
|
||||
|
||||
|
||||
{% if keystone_database_enabled | bool %}
|
||||
|
@ -132,7 +128,11 @@ key_repository = {{ keystone_credential_key_repository }}
|
|||
|
||||
{% if keystone_sp != {} %}
|
||||
[federation]
|
||||
{% if keystone_sp_apache_mod_auth_openidc %}
|
||||
remote_id_attribute = HTTP_OIDC_ISS
|
||||
{% elif keystone_sp_apache_mod_shib %}
|
||||
remote_id_attribute = Shib-Identity-Provider
|
||||
{% endif %}
|
||||
{% if keystone_sp.trusted_dashboard_list is defined %}
|
||||
{% for item in keystone_sp.trusted_dashboard_list %}
|
||||
trusted_dashboard = {{ item }}
|
||||
|
|
|
@ -57,7 +57,9 @@ keystone_idp_distro_packages:
|
|||
- xmlsec1
|
||||
|
||||
keystone_sp_distro_packages:
|
||||
- libapache2-mod-shib2
|
||||
- "{{ keystone_sp_apache_mod_shib | ternary('libcurl3', 'libcurl4') }}"
|
||||
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('libapache2-mod-auth-openidc',
|
||||
'libapache2-mod-shib2') }}"
|
||||
|
||||
keystone_developer_mode_distro_packages:
|
||||
- build-essential
|
||||
|
@ -86,7 +88,9 @@ keystone_apache_modules:
|
|||
- name: "ssl"
|
||||
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
||||
- name: "shib2"
|
||||
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
|
||||
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
||||
- name: "auth_openidc"
|
||||
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
|
||||
- name: "proxy_uwsgi"
|
||||
state: "present"
|
||||
- name: "headers"
|
||||
|
|
|
@ -51,7 +51,8 @@ keystone_idp_distro_packages:
|
|||
- xmlsec1
|
||||
|
||||
keystone_sp_distro_packages:
|
||||
- shibboleth
|
||||
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('mod_auth_openidc',
|
||||
'shibboleth') }}"
|
||||
|
||||
keystone_developer_mode_distro_packages:
|
||||
- gcc
|
||||
|
|
|
@ -52,7 +52,8 @@ keystone_idp_distro_packages:
|
|||
- xmlsec1
|
||||
|
||||
keystone_sp_distro_packages:
|
||||
- shibboleth-sp
|
||||
- "{{ keystone_sp_apache_mod_auth_openidc | ternary('apache2-mod_auth_openidc',
|
||||
'shibboleth-sp') }}"
|
||||
|
||||
keystone_developer_mode_distro_packages:
|
||||
- "{{ (ansible_distribution_version is version ('42', '>=')) | ternary('patterns-openSUSE-devel_basis', 'patterns-devel-base-devel_basis') }}"
|
||||
|
@ -86,7 +87,9 @@ keystone_apache_modules:
|
|||
- name: "ssl"
|
||||
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
||||
- name: "shib2"
|
||||
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
|
||||
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
||||
- name: "auth_openidc"
|
||||
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
|
||||
- name: "proxy"
|
||||
state: "present"
|
||||
- name: "proxy_http"
|
||||
|
|
Loading…
Reference in New Issue