How to configure Mirantis OpenStack for WebSSO via Okta

mos-websso.rst

• To use openstack cli you need to switch it to using v3 API. Do this:

  1. cp openrc openrc.v3

  2. edit openrc.v3 and

     • add there this line: export OS_IDENTITY_API_VERSION=3
     • change OS_AUTH_URL to point to v3.

• Create an identity provider

  openstack identity provider create idp_1 # idp_1 is an id. Use any you like. I like idp_1

• Create a mapping

  Mapping is a set of rules that tells keystone which group or project or domain the user belongs to. For this POC lets put the user to a static group.

  Create a group: openstack group create --domain default remote_people # it was created with id 0e85a08dad294ad9b6aa9ebb7a969caa, remember it

  Create a mapping. Lets use this one:

  [
    {
      "local": [
        {
          "user": {
            "name": "{0}",
            "domain": {"name": "Default"}
          }
        },
        {
          "group": {
            "id": "0e85a08dad294ad9b6aa9ebb7a969caa"
          }
        }
      ],
      "remote": [
        {
          "type": "username"
        }
      ]
    }
  ]
  

  remote type: username might seem not obvious yet, but we'll get back to this part

  Save it to a file "mapping.json" and run: openstack mapping create --rules mapping.json my_mapping.

• Create a federation protocol for the mapping and identity provider we created above

  openstack federation protocol create --identity-provider idp_1 --mapping my_mapping saml2

• Remember the ids we used here:

  • federation protocol: saml2
  • identity provider: idp_1

• Install mod_shibboleth. apt-get install libapache2-mod-shib2

• Add the following to /etc/apache2/sites-enabled/05-keystone_wsgi_main.conf:

  <Location /Shibboleth.sso>
      SetHandler shib
  </Location>
  

• Add this to vhost configuration:

  <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
      ShibRequestSetting requireSession 1
      AuthType shibboleth
      ShibExportAssertion Off
      Require valid-user
  
      <IfVersion < 2.4>
          ShibRequireSession On
          ShibRequireAll On
      </IfVersion>
  </Location>
  

• Set ServerName in virtualhost configuration:

  ServerName https://public.fuel.local:5000/
  UseCanonicalName On
  

• Configure Horizon

  • As described on http://docs.openstack.org/developer/keystone/extensions/websso.html#horizon-changes . Do not skip optional parts.
  • NOTE: saml2 in WEBSSO_CHOICES is the name of your federation protocol.
  • Set OPENSTACK_KEYSTONE_URL = "https://public.fuel.local:5000/v3". Note the https. The URL should be accesible using your browser. Most probably, you need your public network url.

• Ensure that in shibboleth2.xml <Sessions> has handlerSSL="false"

• Fix haproxy as suggested in comment #1 of bureport https://bugs.launchpad.net/mos/+bug/1527717

• Create your app in Okta

  • Single Sign On URL = https://public.fuel.local:5000/Shibboleth.sso/SAML2/POST
  • Audience URI (SP Entity ID) = http://public.fuel.local:5000/v3/auth/OS-FEDERATION/websso/saml2
  • Go to "Sign On" settings tab and copy a link of "Identity Provider metadata". For me it looks like https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata.
  • In SAML configuration, section "Attribute Statements (optional)", put username to field "name" and select user.email in "value".

  • Edit your /etc/shibboleth/shibboleth2.xml:

    • In your <ApplicationDefaults> find <MetadataProvider> and set uri="https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata" (your metadata url above)
    • <ApplicationDefaults entityID="https://public.fuel.local:5000/">
    • Inside Session find <SSO entityID="..."> and set entityID to SAML Issuer ID, for me it was http://www.okta.com/exk3emohjqYcZ1KR90x7.
    • Ensure that in shibboleth2.xml <Sessions> has handlerSSL="false".

  Here is a full shibboleth2.xml for reference: https://paste.mirantis.net/show/1597/

• Add this to /etc/shibboleth/attribute-map.xml:

  <Attribute name="username" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="username">
      <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
  </Attribute>
  

• Set remote-id of your idp:

  openstack identity provider set --remote-id 'http://www.okta.com/exk3emohjqYcZ1KR90x7' idp_1

• Edit /etc/keystone/keystone.conf

  • [DEFAULT]secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
  • [auth]methods = external,password,token,oauth1,saml2
  • [federation]remote_id_attribute = Shib-Identity-Provider
  • [federation]trusted_dashboard = https://public.fuel.local/horizon/auth/websso/

• Create /etc/keystone/sso_callback_template.html (use a template from official keystone docs)

• HACK FOR 7.0: /usr/lib/python2.7/dist-packages/openstack_auth/views.py: origin = request.build_absolute_uri('/horizon/auth/websso/')