Testing K2K federation with 2x OSAD AIOs

Federated Glance Access.sh

root@aio-tuesidp:/opt/stackforge/os-ansible-deployment# export OS_TOKEN=gAAAAABVr6TnAYIK774E5GI29JO2ZfAfa61kdPBK0qnC3yZH9lPHLwijEvZXS8H3VZFvTI_JeBofbglKAh5j9Gmn80CxYNIkZsRVHzKRnVgh8uj99HrNifv4W5SaGHCmRgyNUx5PATsv9eOkUqGtiJAGHQHyQsZ4PA__r-idMx69ahHLCOeMW9o%3D
root@aio-tuesidp:/opt/stackforge/os-ansible-deployment# export OS_URL=http://134.213.150.73:9292
root@aio-tuesidp:/opt/stackforge/os-ansible-deployment# openstack image list
+--------------------------------------+--------+
| ID                                   | Name   |
+--------------------------------------+--------+
| 86275191-40b0-48a6-98e0-c40498ae7075 | cirros |
+--------------------------------------+--------+

Federated Login Test.sh

root@aio-tuesidp:/opt/stackforge/os-ansible-deployment# scripts/federated-login.sh -p fedproject -d Default keystonesp
Performing federated login...
- Obtained IdP token.
- Obtained SAML2 assertion from IdP.
- Submitted SAML2 assertion to SP.
- Obtained unscoped token from SP: gAAAAABVr6TnZBKlI8Iuj7t2I4BBVpIo_9S1ighxcGomfIqmk3da1-Tru6fIBzXh555AdO7a2dW_uPTnTDns56XsTH-yiiVicT1G4i5Q8li4hjLyHCN02vTAGoSNbLLkt6oUqeJaNaLMCOLWTDutto8_zpEEFjxWxxb0mMTenmlstGIkzANcr49z66vj89yz3rtPF9z-BzU8
- Domains available at sp:
- Projects  available at sp:
"fedproject",
- Obtained scoped token from SP for project fedproject in domain Default: gAAAAABVr6TnAYIK774E5GI29JO2ZfAfa61kdPBK0qnC3yZH9lPHLwijEvZXS8H3VZFvTI_JeBofbglKAh5j9Gmn80CxYNIkZsRVHzKRnVgh8uj99HrNifv4W5SaGHCmRgyNUx5PATsv9eOkUqGtiJAGHQHyQsZ4PA__r-idMx69ahHLCOeMW9o%3D
- Full catalog available in file catalog.json
#----------------------------------------
# Available endpoints:
COMPUTEV21_URL=http://134.213.150.73:8774/v2.1
VOLUME_URL=http://134.213.150.73:8776/v1/7a045c9aa081494b8238515663516a06
ORCHESTRATION_URL=http://134.213.150.73:8004/v1/7a045c9aa081494b8238515663516a06
IMAGE_URL=http://134.213.150.73:9292
COMPUTE_URL=http://134.213.150.73:8774/v2/7a045c9aa081494b8238515663516a06
NETWORK_URL=http://134.213.150.73:9696
IDENTITY_URL=http://134.213.150.73:5000/v2.0
OBJECT_STORE_URL=http://134.213.150.73:8080/v1/AUTH_7a045c9aa081494b8238515663516a06
CLOUDFORMATION_URL=http://134.213.150.73:8000/v1
VOLUMEV2_URL=http://134.213.150.73:8776/v2/7a045c9aa081494b8238515663516a06
#----------------------------------------
# OpenStack client setup:
export OS_TOKEN=gAAAAABVr6TnAYIK774E5GI29JO2ZfAfa61kdPBK0qnC3yZH9lPHLwijEvZXS8H3VZFvTI_JeBofbglKAh5j9Gmn80CxYNIkZsRVHzKRnVgh8uj99HrNifv4W5SaGHCmRgyNUx5PATsv9eOkUqGtiJAGHQHyQsZ4PA__r-idMx69ahHLCOeMW9o%3D
export OS_URL=<desired-service-endpoint>

IDP_user_variables.yml

## Federation

# Testing Notes: 
# Tested IDP SHA: af4765dbe9f25decdf1cbba63c1eb2a4f883bb9a
# 134.213.150.73 is the public IP of the SP Keystone

# Enable the following section on the Keystone IdP
keystone_ssl_enabled: false
keystone_idp:
  certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
  keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
  self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
  regen_cert: false
  idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
  idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
  idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
  service_providers:
    - id: "keystonesp"
      auth_url: http://134.213.150.73:5000/v3/OS-FEDERATION/identity_providers/keystoneidp/protocols/saml2/auth
      sp_url: http://134.213.150.73:5000/Shibboleth.sso/SAML2/ECP
  # the following settings are optional
  organization_name: example_company
  organization_display_name: Example Corp.
  organization_url: example.com
  contact_company: example_company
  contact_name: John
  contact_surname: Smith
  contact_email: [email protected]
  contact_telephone: 555-55-5555
  contact_type: technical

SP_user_variables.yaml

## Federation

# Testing Notes:
# Tested SP SHA: 72f459e06b162a5cf4b39b1b9d7a171d7a517dec
# 134.213.156.70 is the public IP of the IdP Keystone

# Enable the following section in order to install and configure
# Keystone as a Resource Service Provider (SP) and to configure
# trusts with specific Identity Providers (IdP).
keystone_sp:
  cert_duration_years: 5
  trusted_dashboard_list:
    - "https://{{ external_lb_vip_address }}/auth/websso/"
  trusted_idp_list:
    - name: "keystoneidp"
      entity_ids:
         - 'http://134.213.156.70:5000/v3/OS-FEDERATION/saml2/idp'
      metadata_uri: 'http://134.213.156.70:5000/v3/OS-FEDERATION/saml2/metadata'
      metadata_file: 'metadata-keystone-idp.xml'
      metadata_reload: 1800
      domain_name: Default
      project: fedproject
      group: fedgroup
      user: feduser
      password: secrete
      protocol: saml2
      mapping:
        name: keystone-idp-mapping
        rules:
          - remote:
              - any_one_of:
                  - user1
                  - admin
                type: openstack_user
            local:
              - group:
                  name: fedgroup
                  domain:
                      name: Default
                user:
                  name: federated_user
      attributes:
        - name: openstack_user
          id: openstack_user
        - name: openstack_roles
          id: openstack_roles
        - name: openstack_project
          id: openstack_project
        - name: openstack_user_domain
          id: openstack_user_domain
        - name: openstack_project_domain
          id: openstack_project_domain