- To use
openstack
cli you need to switch it to using v3 API. Do this: - cp openrc openrc.v3
- edit openrc.v3 and
- add there this line: export OS_IDENTITY_API_VERSION=3
- change OS_AUTH_URL to point to v3.
- To use
Create an identity provider
openstack identity provider create idp_1 # idp_1 is an id. Use any you like. I like idp_1
Create a mapping
Mapping is a set of rules that tells keystone which group or project or domain the user belongs to. For this POC lets put the user to a static group.
Create a group:
openstack group create --domain default remote_people # it was created with id 0e85a08dad294ad9b6aa9ebb7a969caa, remember it
Create a mapping. Lets use this one:
[ { "local": [ { "user": { "name": "{0}", "domain": {"name": "Default"} } }, { "group": { "id": "0e85a08dad294ad9b6aa9ebb7a969caa" } } ], "remote": [ { "type": "username" } ] } ]
remote type: username
might seem not obvious yet, but we'll get back to this partSave it to a file "mapping.json" and run:
openstack mapping create --rules mapping.json my_mapping
.Create a federation protocol for the mapping and identity provider we created above
openstack federation protocol create --identity-provider idp_1 --mapping my_mapping saml2
- Remember the ids we used here:
- federation protocol:
saml2
- identity provider:
idp_1
- federation protocol:
Install mod_shibboleth.
apt-get install libapache2-mod-shib2
Add the following to
/etc/apache2/sites-enabled/05-keystone_wsgi_main.conf
:<Location /Shibboleth.sso> SetHandler shib </Location>
Add this to vhost configuration:
<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2"> ShibRequestSetting requireSession 1 AuthType shibboleth ShibExportAssertion Off Require valid-user <IfVersion < 2.4> ShibRequireSession On ShibRequireAll On </IfVersion> </Location>
Set ServerName in virtualhost configuration:
ServerName https://public.fuel.local:5000/ UseCanonicalName On
- Configure Horizon
- As described on http://docs.openstack.org/developer/keystone/extensions/websso.html#horizon-changes . Do not skip optional parts.
- NOTE:
saml2
inWEBSSO_CHOICES
is the name of your federation protocol. - Set
OPENSTACK_KEYSTONE_URL = "https://public.fuel.local:5000/v3"
. Note the https. The URL should be accesible using your browser. Most probably, you need your public network url.
Ensure that in
shibboleth2.xml
<Sessions>
hashandlerSSL="false"
Fix haproxy as suggested in comment #1 of bureport https://bugs.launchpad.net/mos/+bug/1527717
- Create your app in Okta
- Single Sign On URL =
https://public.fuel.local:5000/Shibboleth.sso/SAML2/POST
- Audience URI (SP Entity ID) =
http://public.fuel.local:5000/v3/auth/OS-FEDERATION/websso/saml2
- Go to "Sign On" settings tab and copy a link of "Identity Provider metadata". For me it looks like
https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata
. - In SAML configuration, section "Attribute Statements (optional)", put
username
to field "name" and selectuser.email
in "value". - Edit your
/etc/shibboleth/shibboleth2.xml
: - In your
<ApplicationDefaults>
find<MetadataProvider>
and seturi="https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata"
(your metadata url above) <ApplicationDefaults entityID="https://public.fuel.local:5000/">
- Inside
Session
find<SSO entityID="...">
and set entityID to SAML Issuer ID, for me it washttp://www.okta.com/exk3emohjqYcZ1KR90x7
. - Ensure that in
shibboleth2.xml
<Sessions>
hashandlerSSL="false"
.
- In your
- Edit your
- Single Sign On URL =
Here is a full shibboleth2.xml for reference: https://paste.mirantis.net/show/1597/
Add this to
/etc/shibboleth/attribute-map.xml
:<Attribute name="username" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="username"> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/> </Attribute>
- Set remote-id of your idp:
openstack identity provider set --remote-id 'http://www.okta.com/exk3emohjqYcZ1KR90x7' idp_1
- Edit
/etc/keystone/keystone.conf
[DEFAULT]secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
[auth]methods = external,password,token,oauth1,saml2
[federation]remote_id_attribute = Shib-Identity-Provider
[federation]trusted_dashboard = https://public.fuel.local/horizon/auth/websso/
- Edit
Create
/etc/keystone/sso_callback_template.html
(use a template from official keystone docs)HACK FOR 7.0:
/usr/lib/python2.7/dist-packages/openstack_auth/views.py
:origin = request.build_absolute_uri('/horizon/auth/websso/')
-
-
Save michaelrice/613cbcb2841ffe10746184a74aa60586 to your computer and use it in GitHub Desktop.
How to configure Mirantis OpenStack for WebSSO via Okta
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment