Partially clarify federation auth plugins
Federation protocols in keystone are very confusing due to the way they have evolved since the original service provider implementation where the auth plugin was defined in saml2.py. We renamed saml2.py to mapped.py[1] and now we can effectively support any federation protocol as long as there is some kind of Apache module that can understand it and pass certain IdP and user attributes through to keystone. So we started recommending not using the 'saml2' auth plugin and instead using the 'mapped' plugin, eventually removing the the notice when we removed the plugin[2]. Since the name of the federation protocol resource created in keystone must match one of the [auth]/methods, we also changed the documentation to start creating the 'mapped' protocol and use 'mapped' in the Apache settings[3]. This was really the wrong course. 'mapped' is not a protocol. Using only 'mapped' prevents us from defining multiple remote_id_attributes for different protocols. This patch changes references to the 'mapped' protocol and 'mapped' plugin back to 'saml2' (we never changed the openid ones). While the saml2 plugin does not itself exist, it is defined as an entrypoint to the mapped plugin, so it all works out. This doesn't solve the problem for if we want to define different remote_id_attributes for different SAML2.0 implementations, but there is a workaround for that[4]. Using 'saml2' as the protocol name is just much more intuitive than 'mapped'. [1] https://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/juno/generic-mapping-federation.rst [2] https://review.openstack.org/#/c/397456/ [3] https://review.openstack.org/#/c/371210/ [4] https://bugs.launchpad.net/keystone/+bug/1724645/comments/1 Change-Id: I23fc3f1f651c12c4e3c1987dc71008e6e97b4ed8 Related-bug: #1724645
This commit is contained in:
parent
2f4540fb23
commit
cbdc84ac7f
|
@ -79,12 +79,14 @@ Configuring federation in keystone
|
|||
.. code-block:: ini
|
||||
|
||||
[auth]
|
||||
methods = external,password,token,mapped,openid
|
||||
methods = external,password,token,saml2,openid
|
||||
|
||||
.. note::
|
||||
|
||||
``mapped`` and ``openid`` are the federation specific drivers.
|
||||
The other names in the example are not related to federation.
|
||||
``saml2`` and ``openid`` are instances of the ``mapped`` plugin. These
|
||||
must match the name of the of the federation protocol created via the
|
||||
Identity API. The other names in the example are not related to
|
||||
federation.
|
||||
|
||||
#. Create local keystone groups and assign roles.
|
||||
|
||||
|
|
|
@ -96,12 +96,12 @@ Configure authentication drivers in keystone.conf
|
|||
|
||||
Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
|
||||
Names should be equal to protocol names added via Identity API v3. Here we use
|
||||
examples ``mapped`` and ``openid``.
|
||||
examples ``saml2`` and ``openid``.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
[auth]
|
||||
methods = external,password,token,mapped,openid
|
||||
methods = external,password,token,saml2,openid
|
||||
|
||||
Create keystone groups and assign roles
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -301,7 +301,7 @@ You can create a protocol like this:
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp
|
||||
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
|
||||
|
||||
The name you give the protocol is not arbitrary. It must match the method name
|
||||
you gave in the ``[auth]/methods`` config option. When authenticating it will be
|
||||
|
@ -518,7 +518,7 @@ Create a Service Provider (SP)
|
|||
|
||||
In this example we are creating a new Service Provider with an ID of ``mysp``,
|
||||
a ``sp_url`` of ``http://mysp.example.com/Shibboleth.sso/SAML2/ECP`` and a
|
||||
``auth_url`` of ``http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth``
|
||||
``auth_url`` of ``http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth``
|
||||
. The ``sp_url`` will be used when creating a SAML assertion for ``mysp`` and
|
||||
signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
|
||||
token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
|
||||
|
@ -526,7 +526,7 @@ described in `Get an unscoped token`_.
|
|||
|
||||
.. code-block:: bash
|
||||
|
||||
$ openstack service provider create --service-provider-url 'http://mysp.example.com/Shibboleth.sso/SAML2/ECP' --auth-url http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth mysp
|
||||
$ openstack service provider create --service-provider-url 'http://mysp.example.com/Shibboleth.sso/SAML2/ECP' --auth-url http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
|
||||
|
||||
Testing it all out
|
||||
------------------
|
||||
|
|
|
@ -48,11 +48,11 @@ a *<Location>* directive for each identity provider
|
|||
MellonSPCertFile /etc/apache2/mellon/http_keystone.fqdn.cert
|
||||
MellonSPMetadataFile /etc/apache2/mellon/http_keystone.fqdn.xml
|
||||
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
|
||||
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth/mellon
|
||||
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||
MellonIdP "IDP"
|
||||
</Location>
|
||||
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth>
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||
AuthType "Mellon"
|
||||
MellonEnable "auth"
|
||||
</Location>
|
||||
|
@ -60,7 +60,7 @@ a *<Location>* directive for each identity provider
|
|||
.. NOTE::
|
||||
* See below for information about how to generate the values for the
|
||||
`MellonSPMetadataFile`, etc. directives.
|
||||
* ``mapped`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
|
||||
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
|
||||
* ``myidp`` is the name associated with the `IdP in Keystone <configure_federation.html#identity_provider>`_
|
||||
* You are advised to carefully examine `mod_auth_mellon Apache
|
||||
configuration documentation
|
||||
|
@ -83,7 +83,7 @@ the values for the config directives `MellonSPPrivateKeyFile`,
|
|||
.. code-block:: bash
|
||||
|
||||
$ ./mellon_create_metadata.sh http://keystone.fqdn:5000 \
|
||||
http://keystone.fqdn:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth/mellon
|
||||
http://keystone.fqdn:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
|
||||
|
||||
The first parameter is used as the entity ID, a unique identifier for this
|
||||
Keystone SP. You do not have to use the URL, but it is an easy way to uniquely
|
||||
|
|
|
@ -44,7 +44,7 @@ a *<Location>* directive for each identity provider::
|
|||
SetHandler shib
|
||||
</Location>
|
||||
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth>
|
||||
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
|
@ -57,7 +57,7 @@ a *<Location>* directive for each identity provider::
|
|||
</Location>
|
||||
|
||||
.. NOTE::
|
||||
* ``mapped`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
|
||||
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
|
||||
* ``myidp`` is the name associated with the `IdP in Keystone <configure_federation.html#identity_provider>`_
|
||||
* The ``ShibRequireSession`` and ``ShibRequireAll`` rules are invalid in
|
||||
Apache 2.4+.
|
||||
|
|
|
@ -55,14 +55,14 @@ If `mod_shib` is used, then use the following as an example:
|
|||
|
||||
...
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
ShibRequestSetting requireSession 1
|
||||
ShibRequireSession On
|
||||
ShibExportAssertion Off
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||
AuthType shibboleth
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
@ -125,13 +125,13 @@ If `mod_auth_mellon` is used, then use the following as an example:
|
|||
|
||||
...
|
||||
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
...
|
||||
</Location>
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
|
||||
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
|
||||
AuthType Mellon
|
||||
MellonEnable auth
|
||||
Require valid-user
|
||||
|
@ -157,7 +157,7 @@ It is recommended that this option be set on a per-protocol basis.
|
|||
|
||||
.. code-block:: ini
|
||||
|
||||
[mapped]
|
||||
[saml2]
|
||||
remote_id_attribute = Shib-Identity-Provider
|
||||
[openid]
|
||||
remote_id_attribute = HTTP_OIDC_ISS
|
||||
|
@ -208,9 +208,9 @@ identity backend.
|
|||
WEBSSO_CHOICES = (
|
||||
("credentials", _("Keystone Credentials")),
|
||||
("openid", _("OpenID Connect")),
|
||||
("mapped", _("Security Assertion Markup Language")),
|
||||
("saml2", _("Security Assertion Markup Language")),
|
||||
("myidp_openid", "Acme Corporation - OpenID Connect"),
|
||||
("myidp_mapped", "Acme Corporation - SAML2")
|
||||
("myidp_saml2", "Acme Corporation - SAML2")
|
||||
)
|
||||
|
||||
3. (Optional) Create a dictionary of specific identity provider and federation
|
||||
|
@ -227,7 +227,7 @@ protocol endpoint.
|
|||
|
||||
WEBSSO_IDP_MAPPING = {
|
||||
"myidp_openid": ("myidp", "openid"),
|
||||
"myidp_mapped": ("myidp", "mapped")
|
||||
"myidp_saml2": ("myidp", "saml2")
|
||||
}
|
||||
|
||||
.. NOTE::
|
||||
|
|
Loading…
Reference in New Issue