Fix nits in code blocks in federation guide
Fix inconsistent indentation of code-blocks, ensure shell samples correctly differentiate betweeen root-required commands and non-root commands in accordance with the openstack-manuals recommendations[1], and use proper markup for interactive shell examples. [1] http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/common/conventions.rst Partial-bug: #1793374 Change-Id: Ia9e5280d131e1aa50af41aff6155eb07954b7d15
This commit is contained in:
parent
40e0f5d976
commit
9bc2b8875d
|
@ -100,10 +100,10 @@ Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
|
|||
Names should be equal to protocol names added via Identity API v3. Here we use
|
||||
examples ``saml2`` and ``openid``.
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: ini
|
||||
|
||||
[auth]
|
||||
methods = external,password,token,saml2,openid
|
||||
[auth]
|
||||
methods = external,password,token,saml2,openid
|
||||
|
||||
Create keystone groups and assign roles
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -126,23 +126,23 @@ both of which are exposed to the CLI via `python-openstackclient
|
|||
|
||||
For example, create a new domain and project like this:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack domain create federated_domain
|
||||
$ openstack project create federated_project --domain federated_domain
|
||||
$ openstack domain create federated_domain
|
||||
$ openstack project create federated_project --domain federated_domain
|
||||
|
||||
And a new group like this:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack group create federated_users
|
||||
$ openstack group create federated_users
|
||||
|
||||
Add the group to the domain and project:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role add --group federated_users --domain federated_domain Member
|
||||
$ openstack role add --group federated_users --project federated_project Member
|
||||
$ openstack role add --group federated_users --domain federated_domain Member
|
||||
$ openstack role add --group federated_users --project federated_project Member
|
||||
|
||||
We'll later add a mapping that makes all federated users a part of this group
|
||||
and therefore members of the new domain.
|
||||
|
@ -166,9 +166,9 @@ Identity Provider
|
|||
Create an Identity Provider object in keystone, which represents the Identity
|
||||
Provider we will use to authenticate end users:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
|
||||
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
|
||||
|
||||
The value for the ``remote-id`` option is the unique identifier provided by the
|
||||
IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
|
||||
|
@ -224,70 +224,70 @@ Mapping objects can be used multiple times by different combinations of Identity
|
|||
As a simple example, if keystone is your IdP, you can map a few known remote
|
||||
users to the group you already created:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ cat > rules.json <<EOF
|
||||
[
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"user": {
|
||||
"name": "{0}"
|
||||
},
|
||||
"group": {
|
||||
"domain": {
|
||||
"name": "Default"
|
||||
},
|
||||
"name": "federated_users"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "openstack_user"
|
||||
},
|
||||
{
|
||||
"type": "openstack_user",
|
||||
"any_one_of": [
|
||||
"demo",
|
||||
"alt_demo"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
EOF
|
||||
$ openstack mapping create --rules rules.json myidp_mapping
|
||||
$ cat > rules.json <<EOF
|
||||
[
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"user": {
|
||||
"name": "{0}"
|
||||
},
|
||||
"group": {
|
||||
"domain": {
|
||||
"name": "Default"
|
||||
},
|
||||
"name": "federated_users"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "openstack_user"
|
||||
},
|
||||
{
|
||||
"type": "openstack_user",
|
||||
"any_one_of": [
|
||||
"demo",
|
||||
"alt_demo"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
EOF
|
||||
$ openstack mapping create --rules rules.json myidp_mapping
|
||||
|
||||
As another example, if Shibboleth is your IdP, the remote section should use REMOTE_USER as the remote type:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ cat > rules.json <<EOF
|
||||
[
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"user": {
|
||||
"name": "{0}"
|
||||
},
|
||||
"group": {
|
||||
"domain": {
|
||||
"name": "Default"
|
||||
},
|
||||
"name": "federated_users"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "REMOTE_USER"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
EOF
|
||||
$ openstack mapping create --rules rules.json myidp_mapping
|
||||
$ cat > rules.json <<EOF
|
||||
[
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"user": {
|
||||
"name": "{0}"
|
||||
},
|
||||
"group": {
|
||||
"domain": {
|
||||
"name": "Default"
|
||||
},
|
||||
"name": "federated_users"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "REMOTE_USER"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
EOF
|
||||
$ openstack mapping create --rules rules.json myidp_mapping
|
||||
|
||||
Read more about `mapping
|
||||
<https://developer.openstack.org/api-ref/identity/v3-ext/#mappings>`__.
|
||||
|
@ -301,9 +301,9 @@ request made by an IdP. An IdP may have multiple supported protocols.
|
|||
|
||||
You can create a protocol like this:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
|
||||
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
|
||||
|
||||
The name you give the protocol is not arbitrary. It must match the method name
|
||||
you gave in the ``[auth]/methods`` config option. When authenticating it will be
|
||||
|
@ -356,9 +356,9 @@ considered protected by ``mod_shib`` and Apache, as such a request made
|
|||
to the URL would be redirected to the Identity Provider, to start the
|
||||
SAML authentication procedure.
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
|
||||
$ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
|
||||
|
||||
Determine accessible resources
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -376,21 +376,21 @@ Read more about `listing resources
|
|||
Example
|
||||
~~~~~~~
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
$ export OS_TOKEN=<unscoped token>
|
||||
$ export OS_URL=https://sp.keystone.example.org/v3
|
||||
$ openstack federation project list
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
$ export OS_TOKEN=<unscoped token>
|
||||
$ export OS_URL=https://sp.keystone.example.org/v3
|
||||
$ openstack federation project list
|
||||
|
||||
or
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
$ export OS_TOKEN=<unscoped token>
|
||||
$ export OS_URL=https://sp.keystone.example.org/v3
|
||||
$ openstack federation domain list
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
$ export OS_TOKEN=<unscoped token>
|
||||
$ export OS_URL=https://sp.keystone.example.org/v3
|
||||
$ openstack federation domain list
|
||||
|
||||
Get a scoped token
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
@ -406,15 +406,15 @@ Read more about `getting a scoped token
|
|||
Example
|
||||
~~~~~~~
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_AUTH_TYPE=token
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
$ export OS_TOKEN=<unscoped token>
|
||||
$ export OS_AUTH_URL=https://sp.keystone.example.org/v3
|
||||
$ export OS_PROJECT_DOMAIN_NAME=federated_domain
|
||||
$ export OS_PROJECT_NAME=federated_project
|
||||
$ openstack token issue
|
||||
$ export OS_AUTH_TYPE=token
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
$ export OS_TOKEN=<unscoped token>
|
||||
$ export OS_AUTH_URL=https://sp.keystone.example.org/v3
|
||||
$ export OS_PROJECT_DOMAIN_NAME=federated_domain
|
||||
$ export OS_PROJECT_NAME=federated_project
|
||||
$ openstack token issue
|
||||
|
||||
--------------------------------------
|
||||
Keystone as an Identity Provider (IdP)
|
||||
|
@ -433,9 +433,9 @@ Keystone as an Identity Provider (IdP)
|
|||
|
||||
Example for apt:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ apt-get install xmlsec1
|
||||
# apt-get install xmlsec1
|
||||
|
||||
.. note::
|
||||
|
||||
|
@ -457,9 +457,9 @@ example:
|
|||
|
||||
.. code-block:: ini
|
||||
|
||||
[saml]
|
||||
idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
|
||||
idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
|
||||
[saml]
|
||||
idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
|
||||
idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
|
||||
|
||||
``idp_entity_id`` is the unique identifier for the Identity Provider. It
|
||||
usually takes the form of a URI but it does not have to resolve to anything.
|
||||
|
@ -471,30 +471,30 @@ necessary:
|
|||
|
||||
.. code-block:: ini
|
||||
|
||||
certfile=/etc/keystone/ssl/certs/signing_cert.pem
|
||||
keyfile=/etc/keystone/ssl/private/signing_key.pem
|
||||
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
|
||||
certfile=/etc/keystone/ssl/certs/signing_cert.pem
|
||||
keyfile=/etc/keystone/ssl/private/signing_key.pem
|
||||
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
|
||||
|
||||
Though not necessary, the follow Organization configuration options should
|
||||
also be setup. It is recommended that these values be URL safe.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
idp_organization_name=example_company
|
||||
idp_organization_display_name=Example Corp.
|
||||
idp_organization_url=example.com
|
||||
idp_organization_name=example_company
|
||||
idp_organization_display_name=Example Corp.
|
||||
idp_organization_url=example.com
|
||||
|
||||
As with the Organization options, the Contact options, are not necessary, but
|
||||
it's advisable to set these values too.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
idp_contact_company=example_company
|
||||
idp_contact_name=John
|
||||
idp_contact_surname=Smith
|
||||
idp_contact_email=jsmith@example.com
|
||||
idp_contact_telephone=555-555-5555
|
||||
idp_contact_type=technical
|
||||
idp_contact_company=example_company
|
||||
idp_contact_name=John
|
||||
idp_contact_surname=Smith
|
||||
idp_contact_email=jsmith@example.com
|
||||
idp_contact_telephone=555-555-5555
|
||||
idp_contact_type=technical
|
||||
|
||||
Generate Metadata
|
||||
-----------------
|
||||
|
@ -514,9 +514,9 @@ vhost::
|
|||
To create metadata for your keystone IdP, run the ``keystone-manage`` command
|
||||
and redirect the output to a file. For example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
|
||||
# keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
|
||||
|
||||
.. NOTE::
|
||||
The file location should match the value of the configuration option
|
||||
|
@ -535,11 +535,11 @@ signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
|
|||
token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
|
||||
described in `Get an unscoped token`_.
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service provider create \
|
||||
--service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
|
||||
--auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
|
||||
$ openstack service provider create \
|
||||
--service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
|
||||
--auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
|
||||
|
||||
Testing it all out
|
||||
------------------
|
||||
|
@ -551,13 +551,13 @@ scoped token from the SP.
|
|||
ECP stands for Enhanced Client or Proxy, an extension from the SAML2
|
||||
protocol used in non-browser interfaces, like in the following example.
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack \
|
||||
--os-service-provider mysp \
|
||||
--os-remote-project-name federated_project \
|
||||
--os-remote-project-domain-name federated_domain \
|
||||
token issue
|
||||
$ openstack \
|
||||
--os-service-provider mysp \
|
||||
--os-remote-project-name federated_project \
|
||||
--os-remote-project-domain-name federated_domain \
|
||||
token issue
|
||||
|
||||
|
||||
.. include:: openidc.rst
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
|
|||
You'll also need to install the Apache module `mod_auth_mellon
|
||||
<https://github.com/UNINETT/mod_auth_mellon>`_. For example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ apt-get install libapache2-mod-auth-mellon
|
||||
# apt-get install libapache2-mod-auth-mellon
|
||||
|
||||
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
|
||||
|
||||
|
@ -41,22 +41,22 @@ Add this *WSGIScriptAlias* directive to your public vhost configuration::
|
|||
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
|
||||
a *<Location>* directive for each identity provider
|
||||
|
||||
.. code-block:: none
|
||||
.. code-block:: apache
|
||||
|
||||
<Location /v3>
|
||||
MellonEnable "info"
|
||||
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
|
||||
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
|
||||
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
|
||||
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
|
||||
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||
MellonIdP "IDP"
|
||||
</Location>
|
||||
<Location /v3>
|
||||
MellonEnable "info"
|
||||
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
|
||||
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
|
||||
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
|
||||
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
|
||||
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||
MellonIdP "IDP"
|
||||
</Location>
|
||||
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||
AuthType "Mellon"
|
||||
MellonEnable "auth"
|
||||
</Location>
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||
AuthType "Mellon"
|
||||
MellonEnable "auth"
|
||||
</Location>
|
||||
|
||||
.. NOTE::
|
||||
* See below for information about how to generate the values for the
|
||||
|
@ -69,9 +69,9 @@ a *<Location>* directive for each identity provider
|
|||
|
||||
Enable the ``auth_mellon`` module, for example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ a2enmod auth_mellon
|
||||
# a2enmod auth_mellon
|
||||
|
||||
Configuring the Mellon SP Metadata
|
||||
----------------------------------
|
||||
|
@ -80,10 +80,10 @@ Mellon provides a script called `mellon_create_metadata.sh`_ which generates
|
|||
the values for the config directives `MellonSPPrivateKeyFile`,
|
||||
`MellonSPCertFile`, and `MellonSPMetadataFile`. It is run like this:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\
|
||||
https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||
$ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\
|
||||
https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||
|
||||
The first parameter is used as the entity ID, a unique identifier for this
|
||||
Keystone SP. You do not have to use the URL, but it is an easy way to uniquely
|
||||
|
@ -107,15 +107,15 @@ can upload the file, or you may be required to submit the file using `wget` or
|
|||
Fetch your Identity Provider's Metadata file and copy it to the path specified
|
||||
by the `MellonIdPMetadataFile` directive above. For example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
|
||||
https://myidp.example.com/idp/saml2/metadata
|
||||
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
|
||||
https://myidp.example.com/idp/saml2/metadata
|
||||
|
||||
Once you are done, restart the Apache instance that is serving Keystone, for example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ service apache2 restart
|
||||
# service apache2 restart
|
||||
|
||||
.. _`mellon_create_metadata.sh`: https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh
|
||||
|
|
|
@ -24,43 +24,43 @@ Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openi
|
|||
|
||||
To install `mod_auth_openidc` on Ubuntu, perform the following:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ sudo apt-get install libapache2-mod-auth-openidc
|
||||
# apt-get install libapache2-mod-auth-openidc
|
||||
|
||||
This module is available for other distributions (Fedora/CentOS/Red Hat) from:
|
||||
https://github.com/pingidentity/mod_auth_openidc/releases
|
||||
|
||||
Enable the auth_openidc module:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ sudo a2enmod auth_openidc
|
||||
# a2enmod auth_openidc
|
||||
|
||||
In the keystone vhost file, locate the virtual host entry and add the following
|
||||
entries for OpenID Connect:
|
||||
|
||||
.. code-block:: none
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:5000>
|
||||
<VirtualHost *:5000>
|
||||
|
||||
...
|
||||
...
|
||||
|
||||
OIDCClaimPrefix "OIDC-"
|
||||
OIDCResponseType "id_token"
|
||||
OIDCScope "openid email profile"
|
||||
OIDCProviderMetadataURL <url_of_provider_metadata>
|
||||
OIDCClientID <openid_client_id>
|
||||
OIDCClientSecret <openid_client_secret>
|
||||
OIDCCryptoPassphrase openstack
|
||||
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
|
||||
OIDCClaimPrefix "OIDC-"
|
||||
OIDCResponseType "id_token"
|
||||
OIDCScope "openid email profile"
|
||||
OIDCProviderMetadataURL <url_of_provider_metadata>
|
||||
OIDCClientID <openid_client_id>
|
||||
OIDCClientSecret <openid_client_secret>
|
||||
OIDCCryptoPassphrase openstack
|
||||
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
|
||||
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
LogLevel debug
|
||||
</LocationMatch>
|
||||
</VirtualHost>
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
LogLevel debug
|
||||
</LocationMatch>
|
||||
</VirtualHost>
|
||||
|
||||
Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
|
||||
If not using `OIDCProviderMetadataURL`, then the following attributes
|
||||
|
@ -75,9 +75,9 @@ for more details
|
|||
|
||||
Once you are done, restart your Apache daemon:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ sudo service apache2 restart
|
||||
# service apache2 restart
|
||||
|
||||
Tips
|
||||
----
|
||||
|
|
|
@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
|
|||
You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for
|
||||
example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ apt-get install libapache2-mod-shib2
|
||||
# apt-get install libapache2-mod-shib2
|
||||
|
||||
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
|
||||
|
||||
|
@ -39,23 +39,25 @@ Add this *WSGIScriptAliasMatch* directive to your public vhost configuration::
|
|||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
|
||||
|
||||
Make sure the keystone Apache virtual host configuration contains a *<Location>* directive for the
|
||||
Shibboleth module and a *<Location>* directive for each identity provider::
|
||||
Shibboleth module and a *<Location>* directive for each identity provider
|
||||
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
.. code-block:: apache
|
||||
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
|
||||
<IfVersion < 2.4>
|
||||
ShibRequireSession On
|
||||
ShibRequireAll On
|
||||
</IfVersion>
|
||||
</Location>
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
|
||||
<IfVersion < 2.4>
|
||||
ShibRequireSession On
|
||||
ShibRequireAll On
|
||||
</IfVersion>
|
||||
</Location>
|
||||
|
||||
.. NOTE::
|
||||
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
|
||||
|
@ -68,15 +70,15 @@ Shibboleth module and a *<Location>* directive for each identity provider::
|
|||
|
||||
Enable the ``shib2`` module, for example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ a2enmod shib2
|
||||
# a2enmod shib2
|
||||
|
||||
Restart Apache, for example:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ service apache2 restart
|
||||
# service apache2 restart
|
||||
|
||||
Configuring shibboleth2.xml
|
||||
---------------------------
|
||||
|
@ -86,9 +88,9 @@ configure Shibboleth and upload your Metadata to the Identity Provider.
|
|||
|
||||
Create a new keypair for Shibboleth with:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ shib-keygen -y <number of years>
|
||||
# shib-keygen -y <number of years>
|
||||
|
||||
The newly created key file will be stored under ``/etc/shibboleth/sp-key.pem``.
|
||||
|
||||
|
@ -101,20 +103,20 @@ file. You will want to change five settings:
|
|||
|
||||
.. code-block:: xml
|
||||
|
||||
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
||||
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
||||
|
||||
* Set the IdP entity ID. This value is determined by the IdP. For example, if
|
||||
Keystone is the IdP:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
||||
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
||||
|
||||
Example if samltest.id is the IdP:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<SSO entityID="https://samltest.id/saml/idp">
|
||||
<SSO entityID="https://samltest.id/saml/idp">
|
||||
|
||||
* Remove the discoveryURL lines unless you want to enable advanced IdP discovery.
|
||||
|
||||
|
@ -123,13 +125,13 @@ Example if samltest.id is the IdP:
|
|||
|
||||
.. code-block:: xml
|
||||
|
||||
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
||||
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
||||
|
||||
Example if samltest.id is the IdP:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
|
||||
<MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
|
||||
|
||||
You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_
|
||||
|
||||
|
@ -138,143 +140,143 @@ to be used in a production environment):
|
|||
|
||||
.. code-block:: xml
|
||||
|
||||
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
||||
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
||||
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||
clockSkew="180">
|
||||
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
||||
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
||||
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||
clockSkew="180">
|
||||
|
||||
<!--
|
||||
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
|
||||
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
|
||||
-->
|
||||
<!--
|
||||
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
|
||||
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
|
||||
-->
|
||||
|
||||
<!--
|
||||
To customize behavior for specific resources on Apache, and to link vhosts or
|
||||
resources to ApplicationOverride settings below, use web server options/commands.
|
||||
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
|
||||
<!--
|
||||
To customize behavior for specific resources on Apache, and to link vhosts or
|
||||
resources to ApplicationOverride settings below, use web server options/commands.
|
||||
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
|
||||
|
||||
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
|
||||
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
|
||||
-->
|
||||
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
|
||||
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
|
||||
-->
|
||||
|
||||
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
|
||||
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
||||
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
|
||||
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
|
||||
|
||||
<!--
|
||||
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
||||
You MUST supply an effectively unique handlerURL value for each of your applications.
|
||||
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
|
||||
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
|
||||
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
|
||||
Note that while we default checkAddress to "false", this has a negative impact on the
|
||||
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
|
||||
-->
|
||||
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
|
||||
checkAddress="false" handlerSSL="false" cookieProps="http">
|
||||
<!--
|
||||
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
||||
You MUST supply an effectively unique handlerURL value for each of your applications.
|
||||
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
|
||||
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
|
||||
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
|
||||
Note that while we default checkAddress to "false", this has a negative impact on the
|
||||
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
|
||||
-->
|
||||
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
|
||||
checkAddress="false" handlerSSL="false" cookieProps="http">
|
||||
|
||||
<!--
|
||||
Configures SSO for a default IdP. To allow for >1 IdP, remove
|
||||
entityID property and adjust discoveryURL to point to discovery service.
|
||||
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
|
||||
You can also override entityID on /Login query string, or in RequestMap/htaccess.
|
||||
-->
|
||||
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
||||
SAML2 SAML1
|
||||
</SSO>
|
||||
<!--
|
||||
Configures SSO for a default IdP. To allow for >1 IdP, remove
|
||||
entityID property and adjust discoveryURL to point to discovery service.
|
||||
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
|
||||
You can also override entityID on /Login query string, or in RequestMap/htaccess.
|
||||
-->
|
||||
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
|
||||
SAML2 SAML1
|
||||
</SSO>
|
||||
|
||||
<!-- SAML and local-only logout. -->
|
||||
<Logout>SAML2 Local</Logout>
|
||||
<!-- SAML and local-only logout. -->
|
||||
<Logout>SAML2 Local</Logout>
|
||||
|
||||
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
||||
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
||||
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
||||
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
||||
|
||||
<!-- Status reporting service. -->
|
||||
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
||||
<!-- Status reporting service. -->
|
||||
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
||||
|
||||
<!-- Session diagnostic service. -->
|
||||
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
||||
<!-- Session diagnostic service. -->
|
||||
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
||||
|
||||
<!-- JSON feed of discovery information. -->
|
||||
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
||||
</Sessions>
|
||||
<!--
|
||||
Allows overriding of error template information/filenames. You can
|
||||
also add attributes with values that can be plugged into the templates.
|
||||
-->
|
||||
<Errors supportContact="root@localhost"
|
||||
helpLocation="/about.html"
|
||||
styleSheet="/shibboleth-sp/main.css"/>
|
||||
<!-- JSON feed of discovery information. -->
|
||||
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
||||
</Sessions>
|
||||
<!--
|
||||
Allows overriding of error template information/filenames. You can
|
||||
also add attributes with values that can be plugged into the templates.
|
||||
-->
|
||||
<Errors supportContact="root@localhost"
|
||||
helpLocation="/about.html"
|
||||
styleSheet="/shibboleth-sp/main.css"/>
|
||||
|
||||
<!-- Example of remotely supplied batch of signed metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
|
||||
backingFilePath="federation-metadata.xml" reloadInterval="7200">
|
||||
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
||||
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
|
||||
</MetadataProvider>
|
||||
-->
|
||||
<!-- Example of remotely supplied batch of signed metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
|
||||
backingFilePath="federation-metadata.xml" reloadInterval="7200">
|
||||
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
|
||||
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
|
||||
</MetadataProvider>
|
||||
-->
|
||||
|
||||
<!-- Example of locally maintained metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" file="partner-metadata.xml"/>
|
||||
-->
|
||||
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
||||
<!-- Example of locally maintained metadata. -->
|
||||
<!--
|
||||
<MetadataProvider type="XML" file="partner-metadata.xml"/>
|
||||
-->
|
||||
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
|
||||
|
||||
<!-- Map to extract attributes from SAML assertions. -->
|
||||
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
||||
<!-- Map to extract attributes from SAML assertions. -->
|
||||
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
||||
|
||||
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
||||
<AttributeResolver type="Query" subjectMatch="true"/>
|
||||
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
||||
<AttributeResolver type="Query" subjectMatch="true"/>
|
||||
|
||||
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
||||
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
||||
|
||||
<!-- Simple file-based resolver for using a single keypair. -->
|
||||
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
|
||||
<!-- Simple file-based resolver for using a single keypair. -->
|
||||
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
|
||||
|
||||
<!--
|
||||
The default settings can be overridden by creating ApplicationOverride elements (see
|
||||
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
|
||||
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
||||
applicationId setting.
|
||||
Example of a second application (for a second vhost) that has a different entityID.
|
||||
Resources on the vhost would map to an applicationId of "admin":
|
||||
-->
|
||||
<!--
|
||||
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
||||
-->
|
||||
</ApplicationDefaults>
|
||||
<!--
|
||||
The default settings can be overridden by creating ApplicationOverride elements (see
|
||||
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
|
||||
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
||||
applicationId setting.
|
||||
Example of a second application (for a second vhost) that has a different entityID.
|
||||
Resources on the vhost would map to an applicationId of "admin":
|
||||
-->
|
||||
<!--
|
||||
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
||||
-->
|
||||
</ApplicationDefaults>
|
||||
|
||||
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
||||
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
||||
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
||||
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
||||
|
||||
<!-- Low-level configuration about protocols and bindings available for use. -->
|
||||
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
||||
<!-- Low-level configuration about protocols and bindings available for use. -->
|
||||
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
||||
|
||||
</SPConfig>
|
||||
</SPConfig>
|
||||
|
||||
If keystone is your IdP, you will need to examine your attributes map file
|
||||
``/etc/shibboleth/attribute-map.xml`` and add the following attributes:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<Attribute name="openstack_user" id="openstack_user"/>
|
||||
<Attribute name="openstack_roles" id="openstack_roles"/>
|
||||
<Attribute name="openstack_project" id="openstack_project"/>
|
||||
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
|
||||
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
|
||||
<Attribute name="openstack_user" id="openstack_user"/>
|
||||
<Attribute name="openstack_roles" id="openstack_roles"/>
|
||||
<Attribute name="openstack_project" id="openstack_project"/>
|
||||
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
|
||||
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
|
||||
|
||||
For more information see the
|
||||
`attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_
|
||||
|
||||
Once you are done, restart your Shibboleth daemon and apache:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ service shibd restart
|
||||
$ service apache2 restart
|
||||
# service shibd restart
|
||||
# service apache2 restart
|
||||
|
||||
Check ``/var/log/shibboleth/shibd_warn.log`` for any ERROR or CRIT notices and
|
||||
correct them.
|
||||
|
@ -282,9 +284,9 @@ correct them.
|
|||
Upload your Service Provider's metadata file to your Identity Provider. You can
|
||||
fetch it with:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
|
||||
# wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
|
||||
|
||||
This step depends on your Identity Provider choice and is not covered here.
|
||||
If keystone is your Identity Provider you do not need to upload this file.
|
||||
|
|
|
@ -27,9 +27,9 @@ prevent man-in-the-middle (MITM) attacks.
|
|||
|
||||
.. code-block:: ini
|
||||
|
||||
[federation]
|
||||
trusted_dashboard = http://acme.horizon.com/auth/websso/
|
||||
trusted_dashboard = http://beta.horizon.com/auth/websso/
|
||||
[federation]
|
||||
trusted_dashboard = http://acme.horizon.com/auth/websso/
|
||||
trusted_dashboard = http://beta.horizon.com/auth/websso/
|
||||
|
||||
2. Update httpd vhost file with websso information.
|
||||
|
||||
|
@ -47,95 +47,95 @@ is configured in keystone.
|
|||
|
||||
If `mod_shib` is used, then use the following as an example:
|
||||
|
||||
.. code-block:: none
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:5000>
|
||||
<VirtualHost *:5000>
|
||||
|
||||
...
|
||||
...
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
ShibRequestSetting requireSession 1
|
||||
ShibRequireSession On
|
||||
ShibExportAssertion Off
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
ShibRequestSetting requireSession 1
|
||||
ShibRequireSession On
|
||||
ShibExportAssertion Off
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
|
||||
If `mod_auth_openidc` is used, then use the following as an example:
|
||||
|
||||
.. code-block:: none
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:5000>
|
||||
<VirtualHost *:5000>
|
||||
|
||||
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
|
||||
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
|
||||
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
|
||||
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
|
||||
|
||||
...
|
||||
...
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
|
||||
If `mod_auth_kerb` is used, then use the following as an example:
|
||||
|
||||
.. code-block:: none
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:5000>
|
||||
<VirtualHost *:5000>
|
||||
|
||||
...
|
||||
...
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
|
||||
AuthType Kerberos
|
||||
AuthName "Acme Corporation"
|
||||
KrbMethodNegotiate on
|
||||
KrbMethodK5Passwd off
|
||||
Krb5Keytab /etc/apache2/http.keytab
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
|
||||
AuthType Kerberos
|
||||
AuthName "Acme Corporation"
|
||||
KrbMethodNegotiate on
|
||||
KrbMethodK5Passwd off
|
||||
Krb5Keytab /etc/apache2/http.keytab
|
||||
...
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
|
||||
AuthType Kerberos
|
||||
AuthName "Acme Corporation"
|
||||
KrbMethodNegotiate on
|
||||
KrbMethodK5Passwd off
|
||||
Krb5Keytab /etc/apache2/http.keytab
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
|
||||
AuthType Kerberos
|
||||
AuthName "Acme Corporation"
|
||||
KrbMethodNegotiate on
|
||||
KrbMethodK5Passwd off
|
||||
Krb5Keytab /etc/apache2/http.keytab
|
||||
...
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
|
||||
If `mod_auth_mellon` is used, then use the following as an example:
|
||||
|
||||
.. code-block:: none
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:5000>
|
||||
<VirtualHost *:5000>
|
||||
|
||||
...
|
||||
...
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
|
||||
.. NOTE::
|
||||
If you are also using SSO via the API, don't forget to make the Location
|
||||
|
@ -155,17 +155,17 @@ It is recommended that this option be set on a per-protocol basis.
|
|||
|
||||
.. code-block:: ini
|
||||
|
||||
[saml2]
|
||||
remote_id_attribute = Shib-Identity-Provider
|
||||
[openid]
|
||||
remote_id_attribute = HTTP_OIDC_ISS
|
||||
[saml2]
|
||||
remote_id_attribute = Shib-Identity-Provider
|
||||
[openid]
|
||||
remote_id_attribute = HTTP_OIDC_ISS
|
||||
|
||||
Alternatively, a generic option may be set at the `[federation]` level.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[federation]
|
||||
remote_id_attribute = HTTP_OIDC_ISS
|
||||
[federation]
|
||||
remote_id_attribute = HTTP_OIDC_ISS
|
||||
|
||||
4. Copy the `sso_callback_template.html
|
||||
<https://git.openstack.org/cgit/openstack/keystone/plain/etc/sso_callback_template.html>`__
|
||||
|
@ -188,7 +188,7 @@ this will provide users with an updated login screen for horizon.
|
|||
|
||||
.. code-block:: python
|
||||
|
||||
WEBSSO_ENABLED = True
|
||||
WEBSSO_ENABLED = True
|
||||
|
||||
2. (Optional) Create a list of authentication methods with the
|
||||
`WEBSSO_CHOICES` option.
|
||||
|
@ -202,13 +202,13 @@ identity backend.
|
|||
|
||||
.. code-block:: python
|
||||
|
||||
WEBSSO_CHOICES = (
|
||||
("credentials", _("Keystone Credentials")),
|
||||
("openid", _("OpenID Connect")),
|
||||
("saml2", _("Security Assertion Markup Language")),
|
||||
("myidp_openid", "Acme Corporation - OpenID Connect"),
|
||||
("myidp_saml2", "Acme Corporation - SAML2")
|
||||
)
|
||||
WEBSSO_CHOICES = (
|
||||
("credentials", _("Keystone Credentials")),
|
||||
("openid", _("OpenID Connect")),
|
||||
("saml2", _("Security Assertion Markup Language")),
|
||||
("myidp_openid", "Acme Corporation - OpenID Connect"),
|
||||
("myidp_saml2", "Acme Corporation - SAML2")
|
||||
)
|
||||
|
||||
3. (Optional) Create a dictionary of specific identity provider and federation
|
||||
protocol combinations.
|
||||
|
@ -222,10 +222,10 @@ protocol endpoint.
|
|||
|
||||
.. code-block:: python
|
||||
|
||||
WEBSSO_IDP_MAPPING = {
|
||||
"myidp_openid": ("myidp", "openid"),
|
||||
"myidp_saml2": ("myidp", "saml2")
|
||||
}
|
||||
WEBSSO_IDP_MAPPING = {
|
||||
"myidp_openid": ("myidp", "openid"),
|
||||
"myidp_saml2": ("myidp", "saml2")
|
||||
}
|
||||
|
||||
.. NOTE::
|
||||
|
||||
|
@ -240,10 +240,10 @@ automatically set that choice to be highlighted by default.
|
|||
|
||||
.. code-block:: python
|
||||
|
||||
WEBSSO_INITIAL_CHOICE = "credentials"
|
||||
WEBSSO_INITIAL_CHOICE = "credentials"
|
||||
|
||||
7. Restart your web server:
|
||||
|
||||
.. code-block:: bash
|
||||
.. code-block:: console
|
||||
|
||||
$ sudo service apache2 restart
|
||||
# service apache2 restart
|
||||
|
|
Loading…
Reference in New Issue