openstack
/
keystone
Code Issues Proposed changes

Fix nits in code blocks in federation guide 

Fix inconsistent indentation of code-blocks, ensure shell samples
correctly differentiate betweeen root-required commands and non-root
commands in accordance with the openstack-manuals recommendations[1],
and use proper markup for interactive shell examples.

[1] http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/common/conventions.rst

Partial-bug: #1793374

Change-Id: Ia9e5280d131e1aa50af41aff6155eb07954b7d15
This commit is contained in:
Colleen Murphy 2018-12-21 11:16:49 -08:00
parent 40e0f5d976
commit 9bc2b8875d
6 changed files with 870 additions and 868 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

246
doc/source/admin/federation/configure_federation.rst
View File

@ -100,10 +100,10 @@ Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
Names should be equal to protocol names added via Identity API v3. Here we use
examples ``saml2`` and ``openid``.
.. code-block:: bash
.. code-block:: ini
[auth]
methods = external,password,token,saml2,openid
[auth]
methods = external,password,token,saml2,openid
Create keystone groups and assign roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -126,23 +126,23 @@ both of which are exposed to the CLI via `python-openstackclient
For example, create a new domain and project like this:
.. code-block:: bash
.. code-block:: console
$ openstack domain create federated_domain
$ openstack project create federated_project --domain federated_domain
$ openstack domain create federated_domain
$ openstack project create federated_project --domain federated_domain
And a new group like this:
.. code-block:: bash
.. code-block:: console
$ openstack group create federated_users
$ openstack group create federated_users
Add the group to the domain and project:
.. code-block:: bash
.. code-block:: console
$ openstack role add --group federated_users --domain federated_domain Member
$ openstack role add --group federated_users --project federated_project Member
$ openstack role add --group federated_users --domain federated_domain Member
$ openstack role add --group federated_users --project federated_project Member
We'll later add a mapping that makes all federated users a part of this group
and therefore members of the new domain.
@ -166,9 +166,9 @@ Identity Provider
Create an Identity Provider object in keystone, which represents the Identity
Provider we will use to authenticate end users:
.. code-block:: bash
.. code-block:: console
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
$ openstack identity provider create --remote-id https://myidp.example.com/v3/OS-FEDERATION/saml2/idp myidp
The value for the ``remote-id`` option is the unique identifier provided by the
IdP. For a SAML IdP it can found as the EntityDescriptor entityID in the IdP's
@ -224,70 +224,70 @@ Mapping objects can be used multiple times by different combinations of Identity
As a simple example, if keystone is your IdP, you can map a few known remote
users to the group you already created:
.. code-block:: bash
.. code-block:: console
$ cat > rules.json <<EOF
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "Default"
},
"name": "federated_users"
}
}
],
"remote": [
{
"type": "openstack_user"
},
{
"type": "openstack_user",
"any_one_of": [
"demo",
"alt_demo"
]
}
]
}
]
EOF
$ openstack mapping create --rules rules.json myidp_mapping
$ cat > rules.json <<EOF
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "Default"
},
"name": "federated_users"
}
}
],
"remote": [
{
"type": "openstack_user"
},
{
"type": "openstack_user",
"any_one_of": [
"demo",
"alt_demo"
]
}
]
}
]
EOF
$ openstack mapping create --rules rules.json myidp_mapping
As another example, if Shibboleth is your IdP, the remote section should use REMOTE_USER as the remote type:
.. code-block:: bash
.. code-block:: console
$ cat > rules.json <<EOF
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "Default"
},
"name": "federated_users"
}
}
],
"remote": [
{
"type": "REMOTE_USER"
}
]
}
]
EOF
$ openstack mapping create --rules rules.json myidp_mapping
$ cat > rules.json <<EOF
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "Default"
},
"name": "federated_users"
}
}
],
"remote": [
{
"type": "REMOTE_USER"
}
]
}
]
EOF
$ openstack mapping create --rules rules.json myidp_mapping
Read more about `mapping
<https://developer.openstack.org/api-ref/identity/v3-ext/#mappings>`__.
@ -301,9 +301,9 @@ request made by an IdP. An IdP may have multiple supported protocols.
You can create a protocol like this:
.. code-block:: bash
.. code-block:: console
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
The name you give the protocol is not arbitrary. It must match the method name
you gave in the ``[auth]/methods`` config option. When authenticating it will be
@ -356,9 +356,9 @@ considered protected by ``mod_shib`` and Apache, as such a request made
to the URL would be redirected to the Identity Provider, to start the
SAML authentication procedure.
.. code-block:: bash
.. code-block:: console
$ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
$ curl -X GET -D - https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
Determine accessible resources
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -376,21 +376,21 @@ Read more about `listing resources
Example
~~~~~~~
.. code-block:: bash
.. code-block:: console
$ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token>
$ export OS_URL=https://sp.keystone.example.org/v3
$ openstack federation project list
$ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token>
$ export OS_URL=https://sp.keystone.example.org/v3
$ openstack federation project list
or
.. code-block:: bash
.. code-block:: console
$ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token>
$ export OS_URL=https://sp.keystone.example.org/v3
$ openstack federation domain list
$ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token>
$ export OS_URL=https://sp.keystone.example.org/v3
$ openstack federation domain list
Get a scoped token
~~~~~~~~~~~~~~~~~~
@ -406,15 +406,15 @@ Read more about `getting a scoped token
Example
~~~~~~~
.. code-block:: bash
.. code-block:: console
$ export OS_AUTH_TYPE=token
$ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token>
$ export OS_AUTH_URL=https://sp.keystone.example.org/v3
$ export OS_PROJECT_DOMAIN_NAME=federated_domain
$ export OS_PROJECT_NAME=federated_project
$ openstack token issue
$ export OS_AUTH_TYPE=token
$ export OS_IDENTITY_API_VERSION=3
$ export OS_TOKEN=<unscoped token>
$ export OS_AUTH_URL=https://sp.keystone.example.org/v3
$ export OS_PROJECT_DOMAIN_NAME=federated_domain
$ export OS_PROJECT_NAME=federated_project
$ openstack token issue
--------------------------------------
Keystone as an Identity Provider (IdP)
@ -433,9 +433,9 @@ Keystone as an Identity Provider (IdP)
Example for apt:
.. code-block:: bash
.. code-block:: console
$ apt-get install xmlsec1
# apt-get install xmlsec1
.. note::
@ -457,9 +457,9 @@ example:
.. code-block:: ini
[saml]
idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
[saml]
idp_entity_id=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/idp
idp_sso_endpoint=https://idp.keystone.example.org/v3/OS-FEDERATION/saml2/sso
``idp_entity_id`` is the unique identifier for the Identity Provider. It
usually takes the form of a URI but it does not have to resolve to anything.
@ -471,30 +471,30 @@ necessary:
.. code-block:: ini
certfile=/etc/keystone/ssl/certs/signing_cert.pem
keyfile=/etc/keystone/ssl/private/signing_key.pem
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
certfile=/etc/keystone/ssl/certs/signing_cert.pem
keyfile=/etc/keystone/ssl/private/signing_key.pem
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
Though not necessary, the follow Organization configuration options should
also be setup. It is recommended that these values be URL safe.
.. code-block:: ini
idp_organization_name=example_company
idp_organization_display_name=Example Corp.
idp_organization_url=example.com
idp_organization_name=example_company
idp_organization_display_name=Example Corp.
idp_organization_url=example.com
As with the Organization options, the Contact options, are not necessary, but
it's advisable to set these values too.
.. code-block:: ini
idp_contact_company=example_company
idp_contact_name=John
idp_contact_surname=Smith
idp_contact_email=jsmith@example.com
idp_contact_telephone=555-555-5555
idp_contact_type=technical
idp_contact_company=example_company
idp_contact_name=John
idp_contact_surname=Smith
idp_contact_email=jsmith@example.com
idp_contact_telephone=555-555-5555
idp_contact_type=technical
Generate Metadata
-----------------
@ -514,9 +514,9 @@ vhost::
To create metadata for your keystone IdP, run the ``keystone-manage`` command
and redirect the output to a file. For example:
.. code-block:: bash
.. code-block:: console
$ keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
# keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
.. NOTE::
The file location should match the value of the configuration option
@ -535,11 +535,11 @@ signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
described in `Get an unscoped token`_.
.. code-block:: bash
.. code-block:: console
$ openstack service provider create \
--service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
--auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
$ openstack service provider create \
--service-provider-url 'https://sp.keystone.example.org/Shibboleth.sso/SAML2/ECP' \
--auth-url https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
Testing it all out
------------------
@ -551,13 +551,13 @@ scoped token from the SP.
ECP stands for Enhanced Client or Proxy, an extension from the SAML2
protocol used in non-browser interfaces, like in the following example.
.. code-block:: bash
.. code-block:: console
$ openstack \
--os-service-provider mysp \
--os-remote-project-name federated_project \
--os-remote-project-domain-name federated_domain \
token issue
$ openstack \
--os-service-provider mysp \
--os-remote-project-name federated_project \
--os-remote-project-domain-name federated_domain \
token issue
.. include:: openidc.rst

946
doc/source/admin/federation/mapping_combinations.rst
View File

File diff suppressed because it is too large Load Diff

52
doc/source/admin/federation/mellon.rst
View File

@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
You'll also need to install the Apache module `mod_auth_mellon
<https://github.com/UNINETT/mod_auth_mellon>`_. For example:
.. code-block:: bash
.. code-block:: console
$ apt-get install libapache2-mod-auth-mellon
# apt-get install libapache2-mod-auth-mellon
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
@ -41,22 +41,22 @@ Add this *WSGIScriptAlias* directive to your public vhost configuration::
Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Mellon module and
a *<Location>* directive for each identity provider
.. code-block:: none
.. code-block:: apache
<Location /v3>
MellonEnable "info"
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
MellonIdP "IDP"
</Location>
<Location /v3>
MellonEnable "info"
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
MellonIdP "IDP"
</Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
AuthType "Mellon"
MellonEnable "auth"
</Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
AuthType "Mellon"
MellonEnable "auth"
</Location>
.. NOTE::
* See below for information about how to generate the values for the
@ -69,9 +69,9 @@ a *<Location>* directive for each identity provider
Enable the ``auth_mellon`` module, for example:
.. code-block:: bash
.. code-block:: console
$ a2enmod auth_mellon
# a2enmod auth_mellon
Configuring the Mellon SP Metadata
----------------------------------
@ -80,10 +80,10 @@ Mellon provides a script called `mellon_create_metadata.sh`_ which generates
the values for the config directives `MellonSPPrivateKeyFile`,
`MellonSPCertFile`, and `MellonSPMetadataFile`. It is run like this:
.. code-block:: bash
.. code-block:: console
$ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\
https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
$ ./mellon_create_metadata.sh https://sp.keystone.example.org/mellon\
https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
The first parameter is used as the entity ID, a unique identifier for this
Keystone SP. You do not have to use the URL, but it is an easy way to uniquely
@ -107,15 +107,15 @@ can upload the file, or you may be required to submit the file using `wget` or
Fetch your Identity Provider's Metadata file and copy it to the path specified
by the `MellonIdPMetadataFile` directive above. For example:
.. code-block:: bash
.. code-block:: console
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
https://myidp.example.com/idp/saml2/metadata
$ wget --cacert /path/to/ca.crt -O /etc/apache2/mellon/idp-metadata.xml \
https://myidp.example.com/idp/saml2/metadata
Once you are done, restart the Apache instance that is serving Keystone, for example:
.. code-block:: bash
.. code-block:: console
$ service apache2 restart
# service apache2 restart
.. _`mellon_create_metadata.sh`: https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh

46
doc/source/admin/federation/openidc.rst
View File

@ -24,43 +24,43 @@ Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openi
To install `mod_auth_openidc` on Ubuntu, perform the following:
.. code-block:: bash
.. code-block:: console
$ sudo apt-get install libapache2-mod-auth-openidc
# apt-get install libapache2-mod-auth-openidc
This module is available for other distributions (Fedora/CentOS/Red Hat) from:
https://github.com/pingidentity/mod_auth_openidc/releases
Enable the auth_openidc module:
.. code-block:: bash
.. code-block:: console
$ sudo a2enmod auth_openidc
# a2enmod auth_openidc
In the keystone vhost file, locate the virtual host entry and add the following
entries for OpenID Connect:
.. code-block:: none
.. code-block:: apache
<VirtualHost *:5000>
<VirtualHost *:5000>
...
...
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL <url_of_provider_metadata>
OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase openstack
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL <url_of_provider_metadata>
OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase openstack
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/openid/auth
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
AuthType openid-connect
Require valid-user
LogLevel debug
</LocationMatch>
</VirtualHost>
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openid/auth>
AuthType openid-connect
Require valid-user
LogLevel debug
</LocationMatch>
</VirtualHost>
Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
If not using `OIDCProviderMetadataURL`, then the following attributes
@ -75,9 +75,9 @@ for more details
Once you are done, restart your Apache daemon:
.. code-block:: bash
.. code-block:: console
$ sudo service apache2 restart
# service apache2 restart
Tips
----

266
doc/source/admin/federation/shibboleth.rst
View File

@ -28,9 +28,9 @@ Configure keystone under Apache, following the steps in the install guide for
You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for
example:
.. code-block:: bash
.. code-block:: console
$ apt-get install libapache2-mod-shib2
# apt-get install libapache2-mod-shib2
Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
@ -39,23 +39,25 @@ Add this *WSGIScriptAliasMatch* directive to your public vhost configuration::
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
Make sure the keystone Apache virtual host configuration contains a *<Location>* directive for the
Shibboleth module and a *<Location>* directive for each identity provider::
Shibboleth module and a *<Location>* directive for each identity provider
<Location /Shibboleth.sso>
SetHandler shib
</Location>
.. code-block:: apache
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On
</IfVersion>
</Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On
</IfVersion>
</Location>
.. NOTE::
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
@ -68,15 +70,15 @@ Shibboleth module and a *<Location>* directive for each identity provider::
Enable the ``shib2`` module, for example:
.. code-block:: bash
.. code-block:: console
$ a2enmod shib2
# a2enmod shib2
Restart Apache, for example:
.. code-block:: bash
.. code-block:: console
$ service apache2 restart
# service apache2 restart
Configuring shibboleth2.xml
---------------------------
@ -86,9 +88,9 @@ configure Shibboleth and upload your Metadata to the Identity Provider.
Create a new keypair for Shibboleth with:
.. code-block:: bash
.. code-block:: console
$ shib-keygen -y <number of years>
# shib-keygen -y <number of years>
The newly created key file will be stored under ``/etc/shibboleth/sp-key.pem``.
@ -101,20 +103,20 @@ file. You will want to change five settings:
.. code-block:: xml
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
* Set the IdP entity ID. This value is determined by the IdP. For example, if
Keystone is the IdP:
.. code-block:: xml
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
Example if samltest.id is the IdP:
.. code-block:: xml
<SSO entityID="https://samltest.id/saml/idp">
<SSO entityID="https://samltest.id/saml/idp">
* Remove the discoveryURL lines unless you want to enable advanced IdP discovery.
@ -123,13 +125,13 @@ Example if samltest.id is the IdP:
.. code-block:: xml
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
Example if samltest.id is the IdP:
.. code-block:: xml
<MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
<MetadataProvider type="XML" uri="https://samltest.id/saml/idp" />
You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_
@ -138,143 +140,143 @@ to be used in a production environment):
.. code-block:: xml
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://sp.keystone.example.org/shibboleth">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
SAML2 SAML1
</SSO>
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://myidp.example.com/v3/OS-FEDERATION/saml2/idp">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<MetadataProvider type="XML" uri="https://myidp.example.com:5000/v3/OS-FEDERATION/saml2/metadata"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
</SPConfig>
If keystone is your IdP, you will need to examine your attributes map file
``/etc/shibboleth/attribute-map.xml`` and add the following attributes:
.. code-block:: xml
<Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
<Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
For more information see the
`attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_
Once you are done, restart your Shibboleth daemon and apache:
.. code-block:: bash
.. code-block:: console
$ service shibd restart
$ service apache2 restart
# service shibd restart
# service apache2 restart
Check ``/var/log/shibboleth/shibd_warn.log`` for any ERROR or CRIT notices and
correct them.
@ -282,9 +284,9 @@ correct them.
Upload your Service Provider's metadata file to your Identity Provider. You can
fetch it with:
.. code-block:: bash
.. code-block:: console
$ wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
# wget https://sp.keystone.example.org/Shibboleth.sso/Metadata
This step depends on your Identity Provider choice and is not covered here.
If keystone is your Identity Provider you do not need to upload this file.

182
doc/source/admin/federation/websso.rst
View File

@ -27,9 +27,9 @@ prevent man-in-the-middle (MITM) attacks.
.. code-block:: ini
[federation]
trusted_dashboard = http://acme.horizon.com/auth/websso/
trusted_dashboard = http://beta.horizon.com/auth/websso/
[federation]
trusted_dashboard = http://acme.horizon.com/auth/websso/
trusted_dashboard = http://beta.horizon.com/auth/websso/
2. Update httpd vhost file with websso information.
@ -47,95 +47,95 @@ is configured in keystone.
If `mod_shib` is used, then use the following as an example:
.. code-block:: none
.. code-block:: apache
<VirtualHost *:5000>
<VirtualHost *:5000>
...
...
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession 1
ShibRequireSession On
ShibExportAssertion Off
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType shibboleth
Require valid-user
</Location>
</VirtualHost>
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession 1
ShibRequireSession On
ShibExportAssertion Off
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType shibboleth
Require valid-user
</Location>
</VirtualHost>
If `mod_auth_openidc` is used, then use the following as an example:
.. code-block:: none
.. code-block:: apache
<VirtualHost *:5000>
<VirtualHost *:5000>
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/websso
OIDCRedirectURI https://sp.keystone.example.org/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
...
...
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
AuthType openid-connect
Require valid-user
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
AuthType openid-connect
Require valid-user
...
</Location>
</VirtualHost>
<Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
AuthType openid-connect
Require valid-user
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
AuthType openid-connect
Require valid-user
...
</Location>
</VirtualHost>
If `mod_auth_kerb` is used, then use the following as an example:
.. code-block:: none
.. code-block:: apache
<VirtualHost *:5000>
<VirtualHost *:5000>
...
...
<Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
AuthType Kerberos
AuthName "Acme Corporation"
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/http.keytab
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
AuthType Kerberos
AuthName "Acme Corporation"
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/http.keytab
...
</Location>
</VirtualHost>
<Location ~ "/v3/auth/OS-FEDERATION/websso/kerberos">
AuthType Kerberos
AuthName "Acme Corporation"
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/http.keytab
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/kerberos/websso">
AuthType Kerberos
AuthName "Acme Corporation"
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/http.keytab
...
</Location>
</VirtualHost>
If `mod_auth_mellon` is used, then use the following as an example:
.. code-block:: none
.. code-block:: apache
<VirtualHost *:5000>
<VirtualHost *:5000>
...
...
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType Mellon
MellonEnable auth
Require valid-user
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType Mellon
MellonEnable auth
Require valid-user
...
</Location>
</VirtualHost>
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType Mellon
MellonEnable auth
Require valid-user
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType Mellon
MellonEnable auth
Require valid-user
...
</Location>
</VirtualHost>
.. NOTE::
If you are also using SSO via the API, don't forget to make the Location
@ -155,17 +155,17 @@ It is recommended that this option be set on a per-protocol basis.
.. code-block:: ini
[saml2]
remote_id_attribute = Shib-Identity-Provider
[openid]
remote_id_attribute = HTTP_OIDC_ISS
[saml2]
remote_id_attribute = Shib-Identity-Provider
[openid]
remote_id_attribute = HTTP_OIDC_ISS
Alternatively, a generic option may be set at the `[federation]` level.
.. code-block:: ini
[federation]
remote_id_attribute = HTTP_OIDC_ISS
[federation]
remote_id_attribute = HTTP_OIDC_ISS
4. Copy the `sso_callback_template.html
<https://git.openstack.org/cgit/openstack/keystone/plain/etc/sso_callback_template.html>`__
@ -188,7 +188,7 @@ this will provide users with an updated login screen for horizon.
.. code-block:: python
WEBSSO_ENABLED = True
WEBSSO_ENABLED = True
2. (Optional) Create a list of authentication methods with the
`WEBSSO_CHOICES` option.
@ -202,13 +202,13 @@ identity backend.
.. code-block:: python
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("openid", _("OpenID Connect")),
("saml2", _("Security Assertion Markup Language")),
("myidp_openid", "Acme Corporation - OpenID Connect"),
("myidp_saml2", "Acme Corporation - SAML2")
)
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("openid", _("OpenID Connect")),
("saml2", _("Security Assertion Markup Language")),
("myidp_openid", "Acme Corporation - OpenID Connect"),
("myidp_saml2", "Acme Corporation - SAML2")
)
3. (Optional) Create a dictionary of specific identity provider and federation
protocol combinations.
@ -222,10 +222,10 @@ protocol endpoint.
.. code-block:: python
WEBSSO_IDP_MAPPING = {
"myidp_openid": ("myidp", "openid"),
"myidp_saml2": ("myidp", "saml2")
}
WEBSSO_IDP_MAPPING = {
"myidp_openid": ("myidp", "openid"),
"myidp_saml2": ("myidp", "saml2")
}
.. NOTE::
@ -240,10 +240,10 @@ automatically set that choice to be highlighted by default.
.. code-block:: python
WEBSSO_INITIAL_CHOICE = "credentials"
WEBSSO_INITIAL_CHOICE = "credentials"
7. Restart your web server:
.. code-block:: bash
.. code-block:: console
$ sudo service apache2 restart
# service apache2 restart