Partially clarify federation auth plugins

Federation protocols in keystone are very confusing due to the way they
have evolved since the original service provider implementation where
the auth plugin was defined in saml2.py. We renamed saml2.py to
mapped.py[1] and now we can effectively support any federation protocol
as long as there is some kind of Apache module that can understand it
and pass certain IdP and user attributes through to keystone. So we
started recommending not using the 'saml2' auth plugin and instead using
the 'mapped' plugin, eventually removing the the notice when we removed
the plugin[2]. Since the name of the federation protocol resource
created in keystone must match one of the [auth]/methods, we also
changed the documentation to start creating the 'mapped' protocol and
use 'mapped' in the Apache settings[3]. This was really the wrong
course. 'mapped' is not a protocol. Using only 'mapped' prevents us from
defining multiple remote_id_attributes for different protocols.

This patch changes references to the 'mapped' protocol and 'mapped'
plugin back to 'saml2' (we never changed the openid ones). While the
saml2 plugin does not itself exist, it is defined as an entrypoint to
the mapped plugin, so it all works out. This doesn't solve the problem
for if we want to define different remote_id_attributes for different
SAML2.0 implementations, but there is a workaround for that[4]. Using
'saml2' as the protocol name is just much more intuitive than 'mapped'.

[1] https://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/juno/generic-mapping-federation.rst
[2] https://review.openstack.org/#/c/397456/
[3] https://review.openstack.org/#/c/371210/
[4] https://bugs.launchpad.net/keystone/+bug/1724645/comments/1

Change-Id: I23fc3f1f651c12c4e3c1987dc71008e6e97b4ed8
Related-bug: #1724645
This commit is contained in:
Colleen Murphy 2017-10-21 20:38:34 +02:00 committed by Colleen Murphy
parent 2f4540fb23
commit cbdc84ac7f
5 changed files with 24 additions and 22 deletions

View File

@ -79,12 +79,14 @@ Configuring federation in keystone
.. code-block:: ini
[auth]
methods = external,password,token,mapped,openid
methods = external,password,token,saml2,openid
.. note::
``mapped`` and ``openid`` are the federation specific drivers.
The other names in the example are not related to federation.
``saml2`` and ``openid`` are instances of the ``mapped`` plugin. These
must match the name of the of the federation protocol created via the
Identity API. The other names in the example are not related to
federation.
#. Create local keystone groups and assign roles.

View File

@ -96,12 +96,12 @@ Configure authentication drivers in keystone.conf
Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
Names should be equal to protocol names added via Identity API v3. Here we use
examples ``mapped`` and ``openid``.
examples ``saml2`` and ``openid``.
.. code-block:: bash
[auth]
methods = external,password,token,mapped,openid
methods = external,password,token,saml2,openid
Create keystone groups and assign roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -301,7 +301,7 @@ You can create a protocol like this:
.. code-block:: bash
$ openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp
$ openstack federation protocol create saml2 --mapping myidp_mapping --identity-provider myidp
The name you give the protocol is not arbitrary. It must match the method name
you gave in the ``[auth]/methods`` config option. When authenticating it will be
@ -518,7 +518,7 @@ Create a Service Provider (SP)
In this example we are creating a new Service Provider with an ID of ``mysp``,
a ``sp_url`` of ``http://mysp.example.com/Shibboleth.sso/SAML2/ECP`` and a
``auth_url`` of ``http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth``
``auth_url`` of ``http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth``
. The ``sp_url`` will be used when creating a SAML assertion for ``mysp`` and
signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
token for ``mysp`` once the SAML assertion is sent. The auth_url has the format
@ -526,7 +526,7 @@ described in `Get an unscoped token`_.
.. code-block:: bash
$ openstack service provider create --service-provider-url 'http://mysp.example.com/Shibboleth.sso/SAML2/ECP' --auth-url http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth mysp
$ openstack service provider create --service-provider-url 'http://mysp.example.com/Shibboleth.sso/SAML2/ECP' --auth-url http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth mysp
Testing it all out
------------------

View File

@ -48,11 +48,11 @@ a *<Location>* directive for each identity provider
MellonSPCertFile /etc/apache2/mellon/http_keystone.fqdn.cert
MellonSPMetadataFile /etc/apache2/mellon/http_keystone.fqdn.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth/mellon
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
MellonIdP "IDP"
</Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
AuthType "Mellon"
MellonEnable "auth"
</Location>
@ -60,7 +60,7 @@ a *<Location>* directive for each identity provider
.. NOTE::
* See below for information about how to generate the values for the
`MellonSPMetadataFile`, etc. directives.
* ``mapped`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
* ``myidp`` is the name associated with the `IdP in Keystone <configure_federation.html#identity_provider>`_
* You are advised to carefully examine `mod_auth_mellon Apache
configuration documentation
@ -83,7 +83,7 @@ the values for the config directives `MellonSPPrivateKeyFile`,
.. code-block:: bash
$ ./mellon_create_metadata.sh http://keystone.fqdn:5000 \
http://keystone.fqdn:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth/mellon
http://keystone.fqdn:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth/mellon
The first parameter is used as the entity ID, a unique identifier for this
Keystone SP. You do not have to use the URL, but it is an easy way to uniquely

View File

@ -44,7 +44,7 @@ a *<Location>* directive for each identity provider::
SetHandler shib
</Location>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth>
<Location /v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
@ -57,7 +57,7 @@ a *<Location>* directive for each identity provider::
</Location>
.. NOTE::
* ``mapped`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
* ``saml2`` is the name of the `protocol that you will configure <configure_federation.html#protocol>`_
* ``myidp`` is the name associated with the `IdP in Keystone <configure_federation.html#identity_provider>`_
* The ``ShibRequireSession`` and ``ShibRequireAll`` rules are invalid in
Apache 2.4+.

View File

@ -55,14 +55,14 @@ If `mod_shib` is used, then use the following as an example:
...
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession 1
ShibRequireSession On
ShibExportAssertion Off
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType shibboleth
Require valid-user
</Location>
@ -125,13 +125,13 @@ If `mod_auth_mellon` is used, then use the following as an example:
...
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
AuthType Mellon
MellonEnable auth
Require valid-user
...
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/saml2/websso">
AuthType Mellon
MellonEnable auth
Require valid-user
@ -157,7 +157,7 @@ It is recommended that this option be set on a per-protocol basis.
.. code-block:: ini
[mapped]
[saml2]
remote_id_attribute = Shib-Identity-Provider
[openid]
remote_id_attribute = HTTP_OIDC_ISS
@ -208,9 +208,9 @@ identity backend.
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("openid", _("OpenID Connect")),
("mapped", _("Security Assertion Markup Language")),
("saml2", _("Security Assertion Markup Language")),
("myidp_openid", "Acme Corporation - OpenID Connect"),
("myidp_mapped", "Acme Corporation - SAML2")
("myidp_saml2", "Acme Corporation - SAML2")
)
3. (Optional) Create a dictionary of specific identity provider and federation
@ -227,7 +227,7 @@ protocol endpoint.
WEBSSO_IDP_MAPPING = {
"myidp_openid": ("myidp", "openid"),
"myidp_mapped": ("myidp", "mapped")
"myidp_saml2": ("myidp", "saml2")
}
.. NOTE::