When a federated user authenticates, they are added to their
mapped groups during shadowing.
Closes-Bug: 1809116
Change-Id: I19dc400b2a7aa46709b242cdeef82beaca975ff3
This is to fix the duplicated words issue like
"one for each each user_id in the provided group_id".
Change-Id: Iacb8e713253288d203834355f1de12482c2c029e
Our tools noticed that keystone links to
https://docs.openstack.org/keystone/latest/admin/identity-domain-specific-config.html
which does not exist anymore.
The page was removed but the link to it was not changed. Replace this
and similar links with internal links that will work even if files are
moved - and can be verified, thus sphinx will error in case of broken
targets.
These changes include a few other fixes for broken keystone links, e.g.
to renamed anchors.
For the include files in admin/configuration.rst and
admin/federation/configure_federation.rst: Rename them to *inc.
The files were
published twice (as separate files and on this page) and thus
referencing failed. Renaming avoids this.
Also, put doctree outside of html tree so that it does not get
published.
Change-Id: I3d07637b0046cc88a66bcb51a0a4fe7c146c1549
The api documentation is now published on docs.openstack.org instead
of developer.openstack.org. Update all links that are changed to the
new location.
This does not relationship URIs since "these links do not resolve to
anything valid, but exist to show a relationship."
Note that redirects will be set up as well but let's point now to the
new location.
For details, see:
http://lists.openstack.org/pipermail/openstack-discuss/2019-July/007828.html
Change-Id: I6efdf375bc8e1e5ca2b113337002d6178180a1e1
Update, reorganize and clean up the openidc guide. Use Google as a
concrete IdP example. Use the systemctl command to modernize the service
management commands. Add examples of configuring all required endpoints
in Apache to mirror the new section on configuring protected endpoints
in the main guide and replace the lost examples from the consolidated
WebSSO guide. Remove use of ``a2enmod`` since the Mellon module is
automatically enabled by the package on all supported distros.
Closes-bug: #1793374
Change-Id: Ie5dc4899beff77f121cc62bc8d56763c7671ecc3
Update, reorganize and clean up the mellon guide. Use the systemctl
command to modernize the service management commands. Add examples of
configuring all required endpoints in Apache to mirror the new section
on configuring protected endpoints in the main guide and replace the
lost examples from the consolidated WebSSO guide. Remove use of
``a2enmod`` since the Mellon module is automatically enabled by the
package on all supported distros.
Partial-bug: #1793374
Change-Id: If17d8e73688775b8aeae88f5d0907273bc8de193
Update, reorganize and clean up the shibboleth guide. Remove the full
example of shibboleth2.xml, it does not add anything useful and just
creates clutter. Use the systemctl command to modernize the service
management commands. Add examples of configuring all required endpoints
in Apache to mirror the new section on configuring protected endpoints
in the main guide and replace the lost examples from the consolidated
WebSSO guide. Add a section on configuring REMOTE_USER and
attributes-map.xml. Remove use of ``a2enmod`` since the Shibboleth
module is automatically enabled by the package on all supported distros.
Partial-bug: #1793374
Change-Id: I0eed3420aa49fdc75349a467e91f8e7f22b075e9
The WebSSO documentation does not have a good flow with the rest of the
federation guide. It includes instructions about the remote_id_attribute
which is not WebSSO specific, as well as instructions for configuring
Apache which is partly redundant with the SP-specific instructions. This
change consolidates the guide into the main guide so that it makes sense
with the rest of the document.
Partial-bug: #1793374
Change-Id: I0c8fa537a950090f85b3cb4a4aac6c896f02db89
Without this change, the federation guide does not do a good job of
explaining which URL paths should be protected by a federation-capable
auth module and why. Instead, the SP-specific guides give code samples
with no context, which makes it confusing to understand how to modify
the paths in the examples to fit one's own deployment. This change adds
that introduction.
Partial-bug: #1793374
Change-Id: I5cf940e0c54e5dd89cd3db810f8b5889a8ddce2e
The federation guide on configuring keystone as a Service Provider is
disjointed and hard to follow. This patch reorganizes it as follows to
improve the flow by first moving the instructions on creating an IdP,
mapping, and protocol in keystone to the beginning, since all other
steps in this guide depend on understanding what these objects are and
deciding on a name for them, and second by consolidating instructions on
creating role assignments into the section on mappings, since these two
concepts are informed by one another and splitting them apart makes
it difficult to mentally connect them. It also cleans up and clarifies
some of the wording and pares down unnecessary tangents.
Partial-bug: #1793374
Change-Id: Ib09f127f47a0897cc1be03428bfae70f3f18e174
Clean up the wording and add clarifications and examples to the guide on
configuring keystone as an IdP.
Partial-bug: #1793374
Change-Id: I5feee2da6b8b8f15e1de2e2f1ba493f31babb35f
Modernize the examples on using the CLI to authenticate with an external
IdP or keystone IdP, add tips on how to get needed information, and add
examples on authenticating with horizon.
Partial-bug: #1793374
Change-Id: Ieec899a1551be69da232196c59b9aeed0e85f5f5
Make the keystone-to-keystone section mirror the keystone-as-sp section
by adding a prerequisites section that identifies some useful background
information, and clean up some outdated information.
Partial-bug: #1793374
Change-Id: I39235a394d6bc59aad84e6f6a779d39036199302
Remove outdated information, update version information and expand on
preliminary information that will be needed throughout the rest of the
guide.
Partial-bug: #1793374
Change-Id: I0e5c4ccde4c88bec3fa78114e1ede9545ed98678
The federation documentation inconsistently references samltest.id
(formerly testshib.org, which is not well maintained) or a keystone IdP
(before keystone-to-keystone is introduced). This change switches the
examples to use samltest.id[1] and renames 'myidp' to 'samltest' where
appropriate. In the case of the WebSSO horizon configuration examples,
it's not appropriate to switch the openid examples to samltest because
samltest.id does not support OpenIDC. The examples are meant to show
that you can pair different protocols to a single IdP, so use 'acme' as
the example.
[1] https://samltest.id
Partial-bug: #1793374
Change-Id: I2633ba460182ed8ed5195a10cdaae663add8b1aa
Fix inconsistent indentation of code-blocks, ensure shell samples
correctly differentiate betweeen root-required commands and non-root
commands in accordance with the openstack-manuals recommendations[1],
and use proper markup for interactive shell examples.
[1] http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/common/conventions.rst
Partial-bug: #1793374
Change-Id: Ia9e5280d131e1aa50af41aff6155eb07954b7d15
The documentation style guide recommends using example URLs for
OpenStack services that look like
`http://<service>.openstack.example.org`. This patch changes the URLs
for hypothetical keystone Service Providers to use HTTPS endpoints to
set a good example of security, to use the example.org domain instead of
localhost or example.com, to include keystone in the name for clarity of
what the service is, and to use a consistent URL path and port. It
doesn't include 'openstack' in the domain name because that becomes a
bit long.
[1] https://docs.openstack.org/doc-contrib-guide/writing-style/urls.html
Partial-bug: #1793374
Change-Id: I8e12edaa589be3c8e71b10d0609c057fd2bfb247
Having everything on a single page is nice for ctrl-F-ability but it
makes the flow very confusing. This change breaks the guide into three
logical parts: the introduction, the configuration steps, and the
advanced mapping rules guide. Keeping all the configuration steps within
one page means it can still be searched easily, but removing the prose
of the introduction and breaking out the deep-dive mapping rules guide
reduces clutter and enhances readability.
Partial-bug: #1793374
Change-Id: Id2fd59d62a2675691d545e4cd0404558f00cf481
Add an introduction to the federation documentation discussing
background information on identity federation and how it is implemented
in keystone.
This repurposes some of the content in this blog post[1] of which I am
the author.
[1] http://www.gazlene.net/demystifying-keystone-federation.html
Partial-bug: #1793374
Change-Id: I5f3a5e70c7b868762880930ea6277691f44c046a