aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/doc/source/extensions
diff options
context:
space:
mode:
authorRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
committerRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
commit920a49cfa055733d575282973e23558c33087a4a (patch)
treed371dab34efa5028600dad2e7ca58063626e7ba4 /keystone-moon/doc/source/extensions
parentef3eefca70d8abb4a00dafb9419ad32738e934b2 (diff)
remove keystone-moon
Change-Id: I80d7c9b669f19d5f6607e162de8e0e55c2f80fdd Signed-off-by: RHE <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/doc/source/extensions')
-rw-r--r--keystone-moon/doc/source/extensions/endpoint_filter.rst44
-rw-r--r--keystone-moon/doc/source/extensions/endpoint_policy.rst35
-rw-r--r--keystone-moon/doc/source/extensions/federation.rst66
-rw-r--r--keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptxbin34159 -> 0 bytes
-rw-r--r--keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptxbin34626 -> 0 bytes
-rw-r--r--keystone-moon/doc/source/extensions/moon/moon.rst147
-rw-r--r--keystone-moon/doc/source/extensions/moon/moon_api.rst863
-rw-r--r--keystone-moon/doc/source/extensions/oauth1.rst49
-rw-r--r--keystone-moon/doc/source/extensions/openidc.rst93
-rw-r--r--keystone-moon/doc/source/extensions/revoke.rst45
-rw-r--r--keystone-moon/doc/source/extensions/shibboleth.rst279
11 files changed, 0 insertions, 1621 deletions
diff --git a/keystone-moon/doc/source/extensions/endpoint_filter.rst b/keystone-moon/doc/source/extensions/endpoint_filter.rst
deleted file mode 100644
index 4ab194b8..00000000
--- a/keystone-moon/doc/source/extensions/endpoint_filter.rst
+++ /dev/null
@@ -1,44 +0,0 @@
-..
- Copyright 2011-2013 OpenStack, Foundation
- All Rights Reserved.
-
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-======================================
-Enabling the Endpoint Filter Extension
-======================================
-
-To enable the endpoint filter extension:
-
-1. Add the endpoint filter extension catalog driver to the ``[catalog]`` section
- in ``keystone.conf``. For example::
-
- [catalog]
- driver = catalog_sql
-
-2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
- ``keystone-paste.ini``. This must be added after ``json_body`` and before
- the last entry in the pipeline. For example::
-
- [pipeline:api_v3]
- pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension endpoint_filter_extension service_v3
-
-3. Create the endpoint filter extension tables if using the provided sql backend. For example::
-
- ./bin/keystone-manage db_sync --extension endpoint_filter
-
-4. Optionally, change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]`` section
- in ``keystone.conf`` to return an empty catalog if no associations are made. For example::
-
- [endpoint_filter]
- return_all_endpoints_if_no_filter = False
diff --git a/keystone-moon/doc/source/extensions/endpoint_policy.rst b/keystone-moon/doc/source/extensions/endpoint_policy.rst
deleted file mode 100644
index ad403d50..00000000
--- a/keystone-moon/doc/source/extensions/endpoint_policy.rst
+++ /dev/null
@@ -1,35 +0,0 @@
-..
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-======================================
-Enabling the Endpoint Policy Extension
-======================================
-
-To enable the endpoint policy extension:
-
-1. Optionally, add the endpoint policy extension driver to the
- ``[endpoint_policy]`` section in ``keystone.conf``. For example::
-
- [endpoint_policy]
- driver = sql
-
-2. Add the ``endpoint_policy_extension`` policy to the ``api_v3`` pipeline in
- ``keystone-paste.ini``. This must be added after ``json_body`` and before
- the last entry in the pipeline. For example::
-
- [pipeline:api_v3]
- pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3 endpoint_policy_extension service_v3
-
-3. Create the endpoint policy extension tables if using the provided SQL backend. For example::
-
- ./bin/keystone-manage db_sync --extension endpoint_policy
diff --git a/keystone-moon/doc/source/extensions/federation.rst b/keystone-moon/doc/source/extensions/federation.rst
deleted file mode 100644
index f1b5baa9..00000000
--- a/keystone-moon/doc/source/extensions/federation.rst
+++ /dev/null
@@ -1,66 +0,0 @@
-..
- Copyright 2014 OpenStack, Foundation
- All Rights Reserved.
-
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-==================================
-Enabling the Federation Extension
-==================================
-
-To enable the federation extension:
-
-1. Add the federation extension driver to the ``[federation]`` section in
- ``keystone.conf``. For example::
-
- [federation]
- driver = keystone.contrib.federation.backends.sql.Federation
-
-2. Add the ``saml2`` and/or ``oidc`` authentication methods to the ``[auth]``
- section in ``keystone.conf``::
-
- [auth]
- methods = external,password,token,saml2,oidc
- saml2 = keystone.auth.plugins.mapped.Mapped
- oidc = keystone.auth.plugins.mapped.Mapped
-
-.. NOTE::
- The ``external`` method should be dropped to avoid any interference with
- some Apache + Shibboleth SP setups, where a ``REMOTE_USER`` env variable is
- always set, even as an empty value.
-
-3. Add the ``federation_extension`` middleware to the ``api_v3`` pipeline in
- ``keystone-paste.ini``. This must be added after ``json_body`` and before
- the last entry in the pipeline. For example::
-
- [pipeline:api_v3]
- pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3
-
-4. Create the federation extension tables if using the provided SQL backend.
- For example::
-
- ./bin/keystone-manage db_sync --extension federation
-
-5. As of the Juno release, multiple Keystone deployments can now be federated.
- To do so, the `pysaml2 <https://pypi.python.org/pypi/pysaml2>`_ library is
- required. Since OS-FEDERATION is an extension, ``pysaml2`` is not installed
- by default, it must be installed manually. For example::
-
- pip install --upgrade $(grep pysaml2 test-requirements.txt)
-
- Also, the `xmlsec1` command line tool is needed to sign the SAML assertions
- generated by the Keystone Identity Provider:
-
- .. code-block:: bash
-
- $ apt-get install xmlsec1
diff --git a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx b/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx
deleted file mode 100644
index a512a98b..00000000
--- a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy-v0.2.pptx
+++ /dev/null
Binary files differ
diff --git a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptx b/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptx
deleted file mode 100644
index af18d231..00000000
--- a/keystone-moon/doc/source/extensions/moon/ExceptionHierarchy.pptx
+++ /dev/null
Binary files differ
diff --git a/keystone-moon/doc/source/extensions/moon/moon.rst b/keystone-moon/doc/source/extensions/moon/moon.rst
deleted file mode 100644
index f2b3b0bc..00000000
--- a/keystone-moon/doc/source/extensions/moon/moon.rst
+++ /dev/null
@@ -1,147 +0,0 @@
-..
- Copyright 2015 Orange
- All Rights Reserved.
-
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-============
-Moon backend
-============
-
-Before doing anything, you must test your installation and check that your infrastructure is working.
-For example, check that you can create new virtual machines with admin and demo login.
-
-Configuration
--------------
-
-Moon is a contribute backend so you have to enable it by modifying /etc/keystone/keystone-paste.ini, like this:
-
-.. code-block:: ini
-
- [pipeline:moon_pipeline]
- pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension moon_service
-
- [app:moon_service]
- use = egg:keystone#moon_service
-
- ...
-
- [composite:main]
- use = egg:Paste#urlmap
- /moon = moon_pipeline
- /v2.0 = public_api
- /v3 = api_v3
- / = public_version_api
-
- [composite:admin]
- use = egg:Paste#urlmap
- /moon = moon_pipeline
- /v2.0 = admin_api
- /v3 = api_v3
- / = admin_version_api
-
- ...
-
-You must modify /etc/keystone/keystone.conf as you need (see at the end of the file) and copy the following directories:
-
-.. code-block:: sh
-
- cp -R /opt/stack/keystone/examples/moon/policies/ /etc/keystone/
- cp -R /opt/stack/keystone/examples/moon/super_extension/ /etc/keystone/
-
-You can now update the Keystone database and create the directory for logs and restart the Keystone service:
-
-.. code-block:: sh
-
- cd /opt/stack/keystone
- ./bin/keystone-manage db_sync --extension moon
- sudo mkdir /var/log/moon/
- sudo chown vagrant /var/log/moon/
- sudo service apache2 restart
-
-You have to install our version of keystonemiddleware https://github.com/rebirthmonkey/keystonemiddleware :
-
-.. code-block:: sh
-
- cd
- git clone https://github.com/rebirthmonkey/keystonemiddleware.git
- cd keystonemiddleware
- sudo python setup.py install
-
-At this time, the only method to configure Moon is to use the python-moonclient which is a console based client:
-
-.. code-block:: sh
-
- cd
- git clone https://github.com/rebirthmonkey/moonclient.git
- cd moonclient
- sudo python setup.py install
-
-If afterwards, you have some problem restarting nova-api, try removing the package python-six:
-
-.. code-block:: sh
-
- sudo apt-get remove python-six
-
-
-Nova must be configured to send request to Keystone, you have to modify /etc/nova/api-paste.ini :
-
-.. code-block:: ini
-
- ...
-
- [composite:openstack_compute_api_v2]
- use = call:nova.api.auth:pipeline_factory
- noauth = compute_req_id faultwrap sizelimit noauth ratelimit osapi_compute_app_v2
- noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit osapi_compute_app_v2
- keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon ratelimit osapi_compute_app_v2
- keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v2
-
- [composite:openstack_compute_api_v21]
- use = call:nova.api.auth:pipeline_factory_v21
- noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21
- noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
- keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v21
-
- [composite:openstack_compute_api_v3]
- use = call:nova.api.auth:pipeline_factory_v21
- noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3
- noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3
- keystone = request_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v3
-
- ...
-
- [filter:moon]
- paste.filter_factory = keystonemiddleware.authz:filter_factory
-
-If Swift is also installed, you have to configured it, in /etc/swift/proxy-server.conf :
-
-.. code-block:: ini
-
- ...
-
- [pipeline:main]
- pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit crossdomain authtoken keystoneauth tempauth formpost staticweb container-quotas account-quotas slo dlo proxy-logging moon proxy-server
-
- ...
-
- [filter:moon]
- paste.filter_factory = keystonemiddleware.authz:filter_factory
-
-Nova and Swift must be restarted after that, depending on your configuration, you will have to use 'screen' (if using devstack)
-or 'service' on those daemons : nova-api and swift-proxy
-
-Usage
------
-
-TODO \ No newline at end of file
diff --git a/keystone-moon/doc/source/extensions/moon/moon_api.rst b/keystone-moon/doc/source/extensions/moon/moon_api.rst
deleted file mode 100644
index 210093a1..00000000
--- a/keystone-moon/doc/source/extensions/moon/moon_api.rst
+++ /dev/null
@@ -1,863 +0,0 @@
-Moon API
-========
-
-Here are Moon API with some examples of posted data and returned data.
-
-All requests must be prefixed with the host and port, for example: http://localhost:35357/moon/authz/123456789/123456789/servers/list
-
-Authz
------
-
-**GET /moon/authz/{tenant_id}/{subject_k_id}/{object_name}/{action_name}**
- Authorization API.
-
-.. code-block:: json
-
- return = {
- "authz": "True or False"
- }
-
-
-Intra-Extension API
--------------------
-
-Configuration
-~~~~~~~~~~~~~
-
-**GET /moon/configuration/templates**
-
- List all policy templates.
-
-.. code-block:: json
-
- return = {
- "template_id": {
- "name": "name of the template",
- "description": "description of the template",
- }
- }
-
-
-**GET /moon/configuration/aggregation_algorithms**
-
- List all aggregation algorithms.
-
-.. code-block:: json
-
- return = {
- "algorithm_id": {
- "name": "name of the algorithm",
- "description": "description of the algorithm",
- }
- }
-
-
-**GET /moon/configuration/sub_meta_rule_algorithms**
-
- List all sub meta rule algorithms.
-
-.. code-block:: json
-
- return = {
- "algorithm_id": {
- "name": "name of the algorithm",
- "description": "description of the algorithm",
- }
- }
-
-
-Tenants
-~~~~~~~
-
-**GET /moon/tenants**
-
- List all tenants.
-
-.. code-block:: json
-
- return = {
- "tenant_id": {
- "name": "name of the tenant",
- "description": "description of the tenant",
- "intra_authz_extension_id": "id of the intra extension authz",
- "intra_admin_extension_id": "id of the intra extension authz"
- }
- }
-
-
-**POST /moon/tenants**
-
- Add a tenant.
-
-.. code-block:: json
-
- post = {
- "tenant_name": "name of the tenant",
- "tenant_description": "description of the tenant",
- "tenant_intra_authz_extension_id": "id of the intra extension authz",
- "tenant_intra_admin_extension_id": "id of the intra extension admin"
- }
- return = {
- "tenant_id": {
- "name": "name of the tenant",
- "description": "description of the tenant",
- "intra_authz_extension_id": "id of the intra extension authz",
- "intra_admin_extension_id": "id of the intra extension authz"
- }
- }
-
-
-**POST /moon/tenants/{tenant_id}**
-
- Show information of one tenant.
-
-.. code-block:: json
-
- return = {
- "tenant_id": {
- "name": "name of the tenant",
- "description": "description of the tenant",
- "intra_authz_extension_id": "id of the intra extension authz",
- "intra_admin_extension_id": "id of the intra extension authz"
- }
- }
-
-
-**POST /moon/tenants/{tenant_id}**
-
- Modify a tenant.
-
-.. code-block:: json
-
- post = {
- "tenant_name": "name of the tenant",
- "tenant_description": "description of the tenant",
- "tenant_intra_authz_extension_id": "id of the intra extension authz",
- "tenant_intra_admin_extension_id": "id of the intra extension admin"
- }
- return = {
- "tenant_id": {
- "name": "name of the tenant",
- "description": "description of the tenant",
- "intra_authz_extension_id": "id of the intra extension authz",
- "intra_admin_extension_id": "id of the intra extension authz"
- }
- }
-
-
-**DELETE /moon/tenants/{tenant_id}**
-
- Delete a tenant.
-
-.. code-block:: json
-
- return = {}
-
-
-Intra-Extension
-~~~~~~~~~~~~~~~
-
-**GET /moon/intra_extensions/init**
-
- Initialize the root Intra_Extension (if needed).
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions**
-
- List all Intra_Extensions.
-
-.. code-block:: json
-
- return = {
- "intra_extension_id": {
- "name": "name of the intra extension",
- "model": "model of the intra extension"
- }
- }
-
-
-**POST /moon/intra_extensions**
-
- Create a new Intra_Extension.
-
-.. code-block:: json
-
- post = {
- "intra_extension_name": "name of the intra extension",
- "intra_extension_model": "model of the intra extension (taken from /configuration/templates)",
- "intra_extension_description": "description of the intra extension",
-
- }
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/**
-
- Show details about one Intra_Extension.
-
-.. code-block:: json
-
- return = {
- "id": "intra_extension_id",
- "name": "name of the intra extension",
- "model": "model of the intra extension",
- "genre": "genre of the intra extension",
- "description": "model of the intra extension"
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/**
-
- Delete an Intra_Extension.
-
-.. code-block:: json
-
- return = {}
-
-
-Intra-Extension Subjects
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-**GET /moon/intra_extensions/{intra_extension_id}/subjects**
-
- List all subjects.
-
-.. code-block:: json
-
- return = {
- "subject_id": {
- "name": "name of the subject",
- "keystone_id": "keystone id of the subject"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/subjects**
-
- List all subjects.
-
-.. code-block:: json
-
- post = {
- "subject_name": "name of the subject",
- "subject_description": "description of the subject",
- "subject_password": "password for the subject",
- "subject_email": "email address of the subject"
- }
- return = {
- "subject_id": {
- "name": "name of the subject",
- "keystone_id": "keystone id of the subject"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/subjects/{subject_id}**
-
- Delete a subject.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/subject_categories**
-
- List all subject categories.
-
-.. code-block:: json
-
- return = {
- "subject_category_id": {
- "name": "name of the category",
- "description": "description of the category"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/subject_categories**
-
- Add a new subject category.
-
-.. code-block:: json
-
- post = {
- "subject_category_name": "name of the category",
- "subject_category_description": "description of the category"
- }
- return = {
- "subject_category_id": {
- "name": "name of the category",
- "description": "description of the category"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/subject_categories/{subject_category_id}**
-
- Delete a subject category.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/subject_scopes/{subject_category_id}**
-
- List all subject scopes for a specific subject category.
-
-.. code-block:: json
-
- return = {
- "subject_scope_id": {
- "name": "name of the scope",
- "description": "description of the scope"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/subject_scopes/{subject_category_id}**
-
- Add a new subject scope for a specific subject category.
-
-.. code-block:: json
-
- post = {
- "subject_scope_name": "name of the scope",
- "subject_scope_description": "description of the scope"
- }
- return = {
- "subject_scope_id": {
- "name": "name of the scope",
- "description": "description of the scope"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/subject_scopes/{subject_category_id}/{subject_scope_id}**
-
- Delete a subject scope.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/subject_assignments/{subject_id}/{subject_category_id}**
-
- List all subject assignments for a subject and for a subject category.
-
-.. code-block:: json
-
- return = [
- "subject_assignment_id1", "subject_assignment_id2"
- ]
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/subject_assignments**
-
- Add an assignment.
-
-.. code-block:: json
-
- post = {
- "subject_id": "id of the subject",
- "subject_category_id": "id of the category",
- "subject_scope_id": "id of the scope"
- }
- return = [
- "subject_assignment_id1", "subject_assignment_id2"
- ]
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/subject_assignments/{subject_id}/{subject_category_id}/{subject_scope_id}**
-
- Delete a subject assignment.
-
-.. code-block:: json
-
- return = {}
-
-
-Intra-Extension Objects
-~~~~~~~~~~~~~~~~~~~~~~~
-
-**GET /moon/intra_extensions/{intra_extension_id}/objects**
-
- List all objects.
-
-.. code-block:: json
-
- return = {
- "object_id": {
- "name": "name of the object",
- "keystone_id": "keystone id of the object"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/objects**
-
- List all objects.
-
-.. code-block:: json
-
- post = {
- "object_name": "name of the object",
- "object_description": "description of the object"
- }
- return = {
- "object_id": {
- "name": "name of the object",
- "keystone_id": "keystone id of the object"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/objects/{object_id}**
-
- Delete a object.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/object_categories**
-
- List all object categories.
-
-.. code-block:: json
-
- return = {
- "object_category_id": {
- "name": "name of the category",
- "description": "description of the category"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/object_categories**
-
- Add a new object category.
-
-.. code-block:: json
-
- post = {
- "object_category_name": "name of the category",
- "object_category_description": "description of the category"
- }
- return = {
- "object_category_id": {
- "name": "name of the category",
- "description": "description of the category"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/object_categories/{object_category_id}**
-
- Delete a object category.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/object_scopes/{object_category_id}**
-
- List all object scopes for a specific object category.
-
-.. code-block:: json
-
- return = {
- "object_scope_id": {
- "name": "name of the scope",
- "description": "description of the scope"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/object_scopes/{object_category_id}**
-
- Add a new object scope for a specific object category.
-
-.. code-block:: json
-
- post = {
- "object_scope_name": "name of the scope",
- "object_scope_description": "description of the scope"
- }
- return = {
- "object_scope_id": {
- "name": "name of the scope",
- "description": "description of the scope"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/object_scopes/{object_category_id}/{object_scope_id}**
-
- Delete a object scope.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/object_assignments/{object_id}/{object_category_id}**
-
- List all object assignments for a object and for a object category.
-
-.. code-block:: json
-
- return = [
- "object_assignment_id1", "object_assignment_id2"
- ]
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/object_assignments**
-
- Add an assignment.
-
-.. code-block:: json
-
- post = {
- "object_id": "id of the object",
- "object_category_id": "id of the category",
- "object_scope_id": "id of the scope"
- }
- return = [
- "object_assignment_id1", "object_assignment_id2"
- ]
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/object_assignments/{object_id}/{object_category_id}/{object_scope_id}**
-
- Delete a object assignment.
-
-.. code-block:: json
-
- return = {}
-
-
-Intra-Extension Actions
-~~~~~~~~~~~~~~~~~~~~~~~
-
-**GET /moon/intra_extensions/{intra_extension_id}/actions**
-
- List all actions.
-
-.. code-block:: json
-
- return = {
- "action_id": {
- "name": "name of the action",
- "keystone_id": "keystone id of the action"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/actions**
-
- List all actions.
-
-.. code-block:: json
-
- post = {
- "action_name": "name of the action",
- "action_description": "description of the action",
- "action_password": "password for the action",
- "action_email": "email address of the action"
- }
- return = {
- "action_id": {
- "name": "name of the action",
- "keystone_id": "keystone id of the action"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/actions/{action_id}**
-
- Delete a action.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/action_categories**
-
- List all action categories.
-
-.. code-block:: json
-
- return = {
- "action_category_id": {
- "name": "name of the category",
- "description": "description of the category"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/action_categories**
-
- Add a new action category.
-
-.. code-block:: json
-
- post = {
- "action_category_name": "name of the category",
- "action_category_description": "description of the category"
- }
- return = {
- "action_category_id": {
- "name": "name of the category",
- "description": "description of the category"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/action_categories/{action_category_id}**
-
- Delete a action category.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/action_scopes/{action_category_id}**
-
- List all action scopes for a specific action category.
-
-.. code-block:: json
-
- return = {
- "action_scope_id": {
- "name": "name of the scope",
- "description": "description of the scope"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/action_scopes/{action_category_id}**
-
- Add a new action scope for a specific action category.
-
-.. code-block:: json
-
- post = {
- "action_scope_name": "name of the scope",
- "action_scope_description": "description of the scope"
- }
- return = {
- "action_scope_id": {
- "name": "name of the scope",
- "description": "description of the scope"
- }
- }
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/action_scopes/{action_category_id}/{action_scope_id}**
-
- Delete a action scope.
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/action_assignments/{action_id}/{action_category_id}**
-
- List all action assignments for a action and for a action category.
-
-.. code-block:: json
-
- return = [
- "action_assignment_id1", "action_assignment_id2"
- ]
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/action_assignments**
-
- Add an assignment.
-
-.. code-block:: json
-
- post = {
- "action_id": "id of the action",
- "action_category_id": "id of the category",
- "action_scope_id": "id of the scope"
- }
- return = [
- "action_assignment_id1", "action_assignment_id2"
- ]
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/action_assignments/{action_id}/{action_category_id}/{action_scope_id}**
-
- Delete a action assignment.
-
-.. code-block:: json
-
- return = {}
-
-
-Intra-Extension Rules
-~~~~~~~~~~~~~~~~~~~~~
-
-**GET /moon/intra_extensions/{intra_extension_id}/aggregation_algorithm**
-
- List aggregation algorithm for an intra extension.
-
-.. code-block:: json
-
- return = {
- "aggregation_algorithm_id": {
- "name": "name of the aggregation algorithm",
- "description": "description of the aggregation algorithm"
- }
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/aggregation_algorithm**
-
- Set the current aggregation algorithm for an intra extension.
-
-.. code-block:: json
-
- post = {
- "aggregation_algorithm_id": "id of the aggregation algorithm",
- "aggregation_algorithm_description": "description of the aggregation algorithm"
- }
- return = {
- "aggregation_algorithm_id": {
- "name": "name of the aggregation algorithm",
- "description": "description of the aggregation algorithm"
- }
- }
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/sub_meta_rules**
-
- Show the current sub meta rules.
-
-.. code-block:: json
-
- return = {
- "sub_meta_rule_id": {
- "name": "name of the aggregation algorithm",
- "algorithm": "algorithm of the aggregation algorithm",
- "subject_categories": ["subject_category_id1", "subject_category_id2"],
- "object_categories": ["object_category_id1", "object_category_id2"],
- "action_categories": ["action_category_id1", "action_category_id2"]
- }
- }
-
-
-.. code-block:: json
-
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}**
-
- Set the current sub meta rule.
-
-.. code-block:: json
-
- post = {
- "sub_meta_rule_name": "name of the sub meta rule",
- "sub_meta_rule_algorithm": "name of the sub meta rule algorithm",
- "sub_meta_rule_subject_categories": ["subject_category_id1", "subject_category_id2"],
- "sub_meta_rule_object_categories": ["object_category_id1", "object_category_id2"],
- "sub_meta_rule_action_categories": ["action_category_id1", "action_category_id2"]
- }
- return = {}
-
-
-**GET /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}**
-
- List all rules.
-
-.. code-block:: json
-
- return = {
- "rule_id1": ["subject_scope_id1", "object_scope_id1", "action_scope_id1"],
- "rule_id2": ["subject_scope_id2", "object_scope_id2", "action_scope_id2"]
- }
-
-
-**POST /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}**
-
- Add a new rule.
-
-.. code-block:: json
-
- post = {
- "subject_categories": ["subject_scope_id1"],
- "object_categories": ["object_scope_id1"],
- "action_categories": ["action_scope_id1"],
- "enabled": True
- }
- return = {}
-
-
-**DELETE /moon/intra_extensions/{intra_extension_id}/rule/{sub_meta_rule_id}/{rule_id}**
-
- Delete a rule.
-
-.. code-block:: json
-
- return = {}
-
-
-Logs
-~~~~
-
-**GET /moon/logs/{options}**
-
- List all logs.
- Options can be:
-
- * ``filter=<filter_characters>``
- * ``from=<show logs from this date>``
- * ``to=<show logs to this date>``
- * ``event_number=<get n logs>``
-
- Time format is '%Y-%m-%d-%H:%M:%S' (eg. "2015-04-15-13:45:20")
-
-.. code-block:: json
-
- return = [
- "2015-04-15-13:45:20 ...",
- "2015-04-15-13:45:21 ...",
- "2015-04-15-13:45:22 ...",
- "2015-04-15-13:45:23 ..."
- ]
-
-Auth
-~~~~
-
-**POST /moon/auth/tokens**
-
- Add a tenant.
-
-.. code-block:: json
-
- post = {
- "username": "name of the user to authenticate",
- "password": "password of the user to authenticate"
- }
- return = {
- "token": "NEW_TOKEN",
- "message": "if authentication failed..."
- }
-
-
diff --git a/keystone-moon/doc/source/extensions/oauth1.rst b/keystone-moon/doc/source/extensions/oauth1.rst
deleted file mode 100644
index 29955d74..00000000
--- a/keystone-moon/doc/source/extensions/oauth1.rst
+++ /dev/null
@@ -1,49 +0,0 @@
-..
- Copyright 2011-2013 OpenStack, Foundation
- All Rights Reserved.
-
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-=============================
-Enabling the OAuth1 Extension
-=============================
-
-To enable the OAuth1 extension:
-
-1. Optionally, add the oauth1 extension driver to the ``[oauth1]`` section in ``keystone.conf``. For example::
-
- [oauth1]
- driver = sql
-
-2. Add the ``oauth1`` authentication method to the ``[auth]`` section in ``keystone.conf``::
-
- [auth]
- methods = external,password,token,oauth1
-
-3. Add the ``oauth1_extension`` filter to the ``api_v3`` pipeline in
- ``keystone-paste.ini``. This must be added after ``json_body`` and before
- the last entry in the pipeline. For example::
-
- [pipeline:api_v3]
- pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension service_v3
-
-4. Create the OAuth1 extension tables if using the provided SQL backend. For example::
-
- ./bin/keystone-manage db_sync --extension oauth1
-
-5. Optionally, if deploying under an HTTPD server (i.e. Apache), set the
- `WSGIPassAuthorization` to allow the OAuth Authorization headers to
- pass through `mod_wsgi`. For example, add the following to the Keystone
- virtual host file::
-
- WSGIPassAuthorization On
diff --git a/keystone-moon/doc/source/extensions/openidc.rst b/keystone-moon/doc/source/extensions/openidc.rst
deleted file mode 100644
index f515309e..00000000
--- a/keystone-moon/doc/source/extensions/openidc.rst
+++ /dev/null
@@ -1,93 +0,0 @@
-:orphan:
-
-..
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-====================
-Setup OpenID Connect
-====================
-
-Configuring mod_auth_openidc
-============================
-
-Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_)
-
-.. _`mod_auth_openidc`: https://github.com/pingidentity/mod_auth_openidc
-
-To install `mod_auth_openidc` on Ubuntu, perform the following:
-
-.. code-block:: bash
-
- sudo apt-get install libapache2-mod-auth-openidc
-
-Note that this module is not available on Fedora/CentOS/Red Hat.
-
-In the keystone Apache site file, add the following as a top level option, to
-load the `mod_auth_openidc` module:
-
-.. code-block:: xml
-
- LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
-
-Also within the same file, locate the virtual host entry and add the following
-entries for OpenID Connect:
-
-.. code-block:: xml
-
- <VirtualHost *:5000>
-
- ...
-
- OIDCClaimPrefix "OIDC-"
- OIDCResponseType "id_token"
- OIDCScope "openid email profile"
- OIDCProviderMetadataURL <url_of_provider_metadata>
- OIDCClientID <openid_client_id>
- OIDCClientSecret <openid_client_secret>
- OIDCCryptoPassphrase openstack
- OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect
-
- <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
- AuthType openid-connect
- Require valid-user
- LogLevel debug
- </LocationMatch>
- </VirtualHost>
-
-Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
-If not using `OIDCProviderMetadataURL`, then the following attributes
-must be specified: `OIDCProviderIssuer`, `OIDCProviderAuthorizationEndpoint`,
-`OIDCProviderTokenEndpoint`, `OIDCProviderTokenEndpointAuth`,
-`OIDCProviderUserInfoEndpoint`, and `OIDCProviderJwksUri`
-
-Note, if using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix`
-must be specified to have only alphanumerics or a dash ("-"). This is because
-mod_wsgi blocks headers that do not fit this criteria. See http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed
-for more details
-
-Once you are done, restart your Apache daemon:
-
-.. code-block:: bash
-
- $ service apache2 restart
-
-Tips
-====
-
-1. When creating a mapping, note that the 'remote' attributes will be prefixed,
- with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a
- typical remote value to check for is: `HTTP_OIDC_ISS`.
-
-2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see `Step 2`_
-
-.. _`Step 2`: federation.html \ No newline at end of file
diff --git a/keystone-moon/doc/source/extensions/revoke.rst b/keystone-moon/doc/source/extensions/revoke.rst
deleted file mode 100644
index a89e359d..00000000
--- a/keystone-moon/doc/source/extensions/revoke.rst
+++ /dev/null
@@ -1,45 +0,0 @@
- ..
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-=================================
-Enabling the Revocation Extension
-=================================
-
-.. NOTE::
-
- As of the Juno release, the example configuration files will have the
- ``OS-REVOKE`` extension enabled by default, thus it is not necessary to
- perform steps 1 and 2.
- Also, for new installations, the revocation extension tables are already
- migrated, thus it is not necessary to perform steps 3.
-
-1. Optionally, add the revoke extension driver to the ``[revoke]`` section
- in ``keystone.conf``. For example::
-
- [revoke]
- driver = sql
-
-2. Add the required ``filter`` to the ``pipeline`` in ``keystone-paste.ini``.
- This must be added after ``json_body`` and before the last entry in the
- pipeline. For example::
-
- [filter:revoke_extension]
- paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
-
- [pipeline:api_v3]
- pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension service_v3
-
-3. Create the revocation extension tables if using the provided SQL backend.
- For example::
-
- ./bin/keystone-manage db_sync --extension revoke
diff --git a/keystone-moon/doc/source/extensions/shibboleth.rst b/keystone-moon/doc/source/extensions/shibboleth.rst
deleted file mode 100644
index d67cfa1a..00000000
--- a/keystone-moon/doc/source/extensions/shibboleth.rst
+++ /dev/null
@@ -1,279 +0,0 @@
-:orphan:
-
-..
- Licensed under the Apache License, Version 2.0 (the "License"); you may
- not use this file except in compliance with the License. You may obtain
- a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- License for the specific language governing permissions and limitations
- under the License.
-
-================
-Setup Shibboleth
-================
-
-Configure Apache HTTPD for mod_shibboleth
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Follow the steps outlined at: `Running Keystone in HTTPD`_.
-
-.. _`Running Keystone in HTTPD`: ../apache-httpd.html
-
-You'll also need to install `Shibboleth <https://wiki.shibboleth.net/confluence/display/SHIB2/Home>`_, for
-example:
-
-.. code-block:: bash
-
- $ apt-get install libapache2-mod-shib2
-
-Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow:
-
-Add *WSGIScriptAlias* directive to your vhost configuration::
-
- WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1
-
-Make sure the *wsgi-keystone.conf* contains a *<Location>* directive for the Shibboleth module and
-a *<Location>* directive for each identity provider::
-
- <Location /Shibboleth.sso>
- SetHandler shib
- </Location>
-
- <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
- ShibRequestSetting requireSession 1
- ShibRequestSetting applicationId idp_1
- AuthType shibboleth
- ShibRequireAll On
- ShibRequireSession On
- ShibExportAssertion Off
- Require valid-user
- </Location>
-
-.. NOTE::
- * ``saml2`` may be different in your deployment, but do not use a wildcard value.
- Otherwise *every* federated protocol will be handled by Shibboleth.
- * ``idp_1`` has to be replaced with the name associated with the idp in Keystone.
- The same name is used inside the shibboleth2.xml configuration file but they could
- be different.
- * The ``ShibRequireSession`` and ``ShibRequireAll`` rules are invalid in
- Apache 2.4+ and should be dropped in that specific setup.
- * You are advised to carefully examine `Shibboleth Apache configuration
- documentation
- <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig>`_
-
-Enable the Keystone virtual host, for example:
-
-.. code-block:: bash
-
- $ a2ensite wsgi-keystone.conf
-
-Enable the ``ssl`` and ``shib2`` modules, for example:
-
-.. code-block:: bash
-
- $ a2enmod ssl
- $ a2enmod shib2
-
-Restart Apache, for example:
-
-.. code-block:: bash
-
- $ service apache2 restart
-
-Configuring shibboleth2.xml
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Once you have your Keystone vhost (virtual host) ready, it's then time to
-configure Shibboleth and upload your Metadata to the Identity Provider.
-
-If new certificates are required, they can be easily created by executing:
-
-.. code-block:: bash
-
- $ shib-keygen -y <number of years>
-
-The newly created file will be stored under ``/etc/shibboleth/sp-key.pem``
-
-You should fetch your Service Provider's Metadata file. Typically this can be
-achieved by simply fetching a Metadata file, for example:
-
-.. code-block:: bash
-
- $ wget --no-check-certificate -O <name of the file> https://service.example.org/Shibboleth.sso/Metadata
-
-Upload your Service Provider's Metadata file to your Identity Provider.
-This step depends on your Identity Provider choice and is not covered here.
-
-Configure your Service Provider by editing ``/etc/shibboleth/shibboleth2.xml``
-file. You are advised to examine `Shibboleth Service Provider Configuration documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/Configuration>`_
-
-An example of your ``/etc/shibboleth/shibboleth2.xml`` may look like
-(The example shown below is for reference only, not to be used in a production
-environment):
-
-.. code-block:: xml
-
- <!--
- File configuration courtesy of http://testshib.org
-
- More information:
- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
- -->
-
- <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
- xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800 ">
-
- <!-- The entityID is the name TestShib made for your SP. -->
- <ApplicationDefaults entityID="https://<yourhosthere>/shibboleth">
-
- <!--
- You should use secure cookies if at all possible.
- See cookieProps in this Wiki article.
- -->
- <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"
- relayState="ss:mem" handlerSSL="false">
-
- <!-- Triggers a login request directly to the TestShib IdP. -->
- <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
- <SSO entityID="https://<idp-url>/idp/shibboleth" ECP="true">
- SAML2 SAML1
- </SSO>
-
- <!-- SAML and local-only logout. -->
- <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
- <Logout>SAML2 Local</Logout>
-
- <!--
- Handlers allow you to interact with the SP and gather
- more information. Try them out!
- Attribute value s received by the SP through SAML
- will be visible at:
- http://<yourhosthere>/Shibboleth.sso/Session
- -->
-
- <!--
- Extension service that generates "approximate" metadata
- based on SP configuration.
- -->
- <Handler type="MetadataGenerator" Location="/Metadata"
- signing="false"/>
-
- <!-- Status reporting service. -->
- <Handler type="Status" Location="/Status"
- acl="127.0.0.1"/>
-
- <!-- Session diagnostic service. -->
- <Handler type="Session" Location="/Session"
- showAttributeValues="true"/>
- <!-- JSON feed of discovery information. -->
- <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
- </Sessions>
-
- <!--
- Error pages to display to yourself if
- something goes horribly wrong.
- -->
- <Errors supportContact ="<admin_email_address>"
- logoLocation="/shibboleth-sp/logo.jpg"
- styleSheet="/shibboleth-sp/main.css"/>
-
- <!--
- Loads and trusts a metadata file that describes only one IdP
- and how to communicate with it.
- -->
- <MetadataProvider type="XML" uri="<idp-metadata-file>"
- backingFilePath="<local idp metadata>"
- reloadInterval="180000" />
-
- <!-- Attribute and trust options you shouldn't need to change. -->
- <AttributeExtractor type="XML" validate="true"
- path="attribute-map.xml"/>
- <AttributeResolver type="Query" subjectMatch="true"/>
- <AttributeFilter type="XML" validate="true"
- path="attribute-policy.xml"/>
-
- <!--
- Your SP generated these credentials.
- They're used to talk to IdP's.
- -->
- <CredentialResolver type="File" key="sp-key.pem"
- certificate="sp-cert.pem"/>
-
- <ApplicationOverride id="idp_1" entityID="https://<yourhosthere>/shibboleth">
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"
- relayState="ss:mem" handlerSSL="false">
-
- <!-- Triggers a login request directly to the TestShib IdP. -->
- <SSO entityID="https://<idp_1-url>/idp/shibboleth" ECP="true">
- SAML2 SAML1
- </SSO>
-
- <Logout>SAML2 Local</Logout>
- </Sessions>
-
- <MetadataProvider type="XML" uri="<idp_1-metadata-file>"
- backingFilePath="<local idp_1 metadata>"
- reloadInterval="180000" />
-
- </ApplicationOverride>
-
- <ApplicationOverride id="idp_2" entityID="https://<yourhosthere>/shibboleth">
- <Sessions lifetime="28800" timeout="3600" checkAddress="false"
- relayState="ss:mem" handlerSSL="false">
-
- <!-- Triggers a login request directly to the TestShib IdP. -->
- <SSO entityID="https://<idp_2-url>/idp/shibboleth" ECP="true">
- SAML2 SAML1
- </SSO>
-
- <Logout>SAML2 Local</Logout>
- </Sessions>
-
- <MetadataProvider type="XML" uri="<idp_2-metadata-file>"
- backingFilePath="<local idp_2 metadata>"
- reloadInterval="180000" />
-
- </ApplicationOverride>
-
- </ApplicationDefaults>
-
- <!--
- Security policies you shouldn't change unless you
- know what you're doing.
- -->
- <SecurityPolicyProvider type="XML" validate="true"
- path="security-policy.xml"/>
-
- <!--
- Low-level configuration about protocols and bindings
- available for use.
- -->
- <ProtocolProvider type="XML" validate="true" reloadChanges="false"
- path="protocols.xml"/>
-
- </SPConfig>
-
-Keystone enforces `external authentication`_ when the ``REMOTE_USER``
-environment variable is present so make sure Shibboleth doesn't set the
-``REMOTE_USER`` environment variable. To do so, scan through the
-``/etc/shibboleth/shibboleth2.xml`` configuration file and remove the
-``REMOTE_USER`` directives.
-
-Examine your attributes map file ``/etc/shibboleth/attributes-map.xml`` and adjust
-your requirements if needed. For more information see
-`attributes documentation <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAddAttribute>`_
-
-Once you are done, restart your Shibboleth daemon:
-
-.. _`external authentication`: ../external-auth.html
-
-.. code-block:: bash
-
- $ service shibd restart
- $ service apache2 restart