diff options
Diffstat (limited to 'keystone-moon/doc/source/federation/websso.rst')
-rw-r--r-- | keystone-moon/doc/source/federation/websso.rst | 79 |
1 files changed, 70 insertions, 9 deletions
diff --git a/keystone-moon/doc/source/federation/websso.rst b/keystone-moon/doc/source/federation/websso.rst index 4ada0a4c..682449ac 100644 --- a/keystone-moon/doc/source/federation/websso.rst +++ b/keystone-moon/doc/source/federation/websso.rst @@ -35,9 +35,17 @@ prevent man-in-the-middle (MITM) attacks. 2. Update httpd vhost file with websso information. -The `/v3/auth/OS-FEDERATION/websso/<protocol>` route must be protected by the -chosen httpd module. This is performed so the request that originates from -horizon will use the same identity provider that is configured in keystone. +The `/v3/auth/OS-FEDERATION/websso/<protocol>` and +`/v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso` +routes must be protected by the chosen httpd module. This is performed so the +request that originates from horizon will use the same identity provider that +is configured in keystone. + +.. WARNING:: + By using the IdP specific route, a user will no longer leverage the Remote + ID of a specific Identity Provider, and will be unable to verify that the + Identity Provider is trusted, the mapping will remain as the only means to + controlling authorization. If `mod_shib` is used, then use the following as an example: @@ -52,6 +60,11 @@ If `mod_shib` is used, then use the following as an example: Require valid-user ... </Location> + <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/websso"> + AuthType shibboleth + Require valid-user + ... + </Location> </VirtualHost> If `mod_auth_openidc` is used, then use the following as an example: @@ -61,6 +74,7 @@ If `mod_auth_openidc` is used, then use the following as an example: <VirtualHost *:5000> OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/websso/redirect + OIDCRedirectURI http://localhost:5000/v3/auth/OS-FEDERATION/identity_providers/idp_1/protocol/oidc/websso/redirect ... @@ -69,6 +83,11 @@ If `mod_auth_openidc` is used, then use the following as an example: Require valid-user ... </Location> + <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/idp_1/protocols/oidc/websso"> + AuthType openid-connect + Require valid-user + ... + </Location> </VirtualHost> If `mod_auth_kerb` is used, then use the following as an example: @@ -87,6 +106,14 @@ If `mod_auth_kerb` is used, then use the following as an example: Krb5Keytab /etc/apache2/http.keytab ... </Location> + <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/idp_1/protocols/kerberos/websso"> + AuthType Kerberos + AuthName "Acme Corporation" + KrbMethodNegotiate on + KrbMethodK5Passwd off + Krb5Keytab /etc/apache2/http.keytab + ... + </Location> </VirtualHost> If `mod_auth_mellon` is used, then use the following as an example: @@ -103,6 +130,12 @@ If `mod_auth_mellon` is used, then use the following as an example: Require valid-user ... </Location> + <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/websso"> + AuthType Mellon + MellonEnable auth + Require valid-user + ... + </Location> </VirtualHost> .. NOTE:: @@ -182,6 +215,9 @@ Horizon Changes Django OpenStack Auth version 1.2.0 or higher is required for these steps. + Identity provider and federation protocol specific webSSO is only available + in Django OpenStack Auth version 2.0.0 or higher. + 1. Set the Identity Service version to 3 Ensure the `OPENSTACK_API_VERSIONS` option in horizon's local_settings.py has @@ -214,20 +250,45 @@ this will provide users with an updated login screen for horizon. 4. (Optional) Create a list of authentication methods with the `WEBSSO_CHOICES` option. -Within horizon's settings.py file, a list of supported authentication methods -can be specified. The entries in the list map to keystone federation protocols, -with the exception of ``credentials`` which is reserved by horizon, and maps to -the user name and password used by keystone's identity backend. +Within horizon's settings.py file, a list of supported authentication methods can be +specified. The list includes Keystone federation protocols such as OpenID Connect and +SAML, and also keys that map to specific identity provider and federation protocol +combinations (as defined in `WEBSSO_IDP_MAPPING`). With the exception of ``credentials`` +which is reserved by horizon, and maps to the user name and password used by keystone's +identity backend. .. code-block:: python WEBSSO_CHOICES = ( ("credentials", _("Keystone Credentials")), ("oidc", _("OpenID Connect")), - ("saml2", _("Security Assertion Markup Language")) + ("saml2", _("Security Assertion Markup Language")), + ("idp_1_oidc", "Acme Corporation - OpenID Connect"), + ("idp_1_saml2", "Acme Corporation - SAML2") ) -5. (Optional) Specify an initial choice with the `WEBSSO_INITIAL_CHOICE` +5. (Optional) Create a dictionary of specific identity provider and federation + protocol combinations. + +A dictionary of specific identity provider and federation protocol combinations. +From the selected authentication mechanism, the value will be looked up as keys +in the dictionary. If a match is found, it will redirect the user to a identity +provider and federation protocol specific WebSSO endpoint in keystone, otherwise +it will use the value as the protocol_id when redirecting to the WebSSO by +protocol endpoint. + +.. code-block:: python + + WEBSSO_IDP_MAPPING = { + "idp_1_oidc": ("idp_1", "oidc"), + "idp_1_saml2": ("idp_1", "saml2") + } + +.. NOTE:: + + The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>). + +6. (Optional) Specify an initial choice with the `WEBSSO_INITIAL_CHOICE` option. The list set by the `WEBSSO_CHOICES` option will be generated in a drop-down |