This post describes how to set up Single Sign-On system based on ECP profile of SAML standard.
Keystone can be Identity Provider as well as Service Provider. In production environment it means that user can have one Keystone for authentication and general authorization and other as for specific authorization.
We will have following configuration:
Federated identity is a mechanism to establish trusts between Identity Providers and Service Providers (SP).
Keystone is no longer the only identity service for OpenStack services, but instead, there are be a wide range of identity services distributed around the Internet, called Identity Providers (IdPs).
SAML protocolOne of the ways to implement Single Sign-On is to use SAML protocol.
The SAML specification defines three roles: the Principal (typically a user), the Identity provider (IdP), and the Service provider (SP). In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider.
Keystone Federated Identity provides a way to securely use existing credentials to access cloud resources such as servers, volumes, and databases, across multiple endpoints provided in multiple authorized clouds using a single set of credentials, without having to provision additional identities or log in multiple times. The credential is maintained by the user’s Identity Provider.
ShibbolethOne of SAML implementations is the Shibboleth.
Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. The Shibboleth software implements widely used federated identity standards, principally the Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. It is possible to configure Keystone to be Service Provider or/and Identity provider.
Many thanks to rodrigods. A lot of information was taken from http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo/
PrerequisitesKeystone should be running under Apache:
- Enable keystone:
- Restart Apache:
keystone1 - Identity Provider Keystone
keystone2 - Service Provider Keystone
Keystone as a Service Provider (SP)Service Provider (SP) - is a system entity that provides services to principals or other system entities, in this case, OpenStack Identity is the Service Provider.
This approach to federation supports keystone as a Service Provider, consuming identity properties issued by an external Identity Provider - SAML assertions.
Federated users are not mirrored in the keystone identity backend (for example, using the SQL driver). The external Identity Provider is responsible for authenticating users, and communicates the result of authentication to keystone using identity properties. Keystone maps these values to keystone user groups and assignments created in keystone.
- Enable saml2 authentication method. Make changes in /etc/keystone/keystone.conf:
- Install Shibboleth:
- Configure your Keystone virtual host and adjust the config to properly handle SAML2 workflow. Add WSGIScriptAlias directive to your vhost configuration:
- Append the following lines to the end of the file:
- Edit the /etc/shibboleth/attribute-map.xml file to add the attributes:
- Edit the /etc/shibboleth/shibboleth2.xml file to add the Keystone IdP entityID and MetadataProvider:
- Generate Shibboleth's key-pair:
- Restart Apache:
- Enable shibboleth module:
Keystone as an Identity Provider (IP)Identity Provider (IP) is a directory service, which allows users to login with a user name and password. It is a typical source of authentication tokens.
- This feature requires installation of the xmlsec1 and pysaml2:
- Generate certificates:
- Add saml configuration to the /etc/keystone/keystone.conf file:
order to create a trust between the Identity Provider and the Service
Provider, metadata must be exchanged. To create metadata for your
Identity service, run the keystone-manage command and pipe the output to
- Restart Keystone service:
Configure Federation in KeystoneNew users will not be added to the Identity backend, but the Identity Service requires group-based role assignments to authorize federated users. The federation mapping function will map the user into local Identity Service groups objects, and hence to local role assignments.
Thus, it is required to create the necessary Identity Service groups that correspond to the Identity Provider’s groups; additionally, these groups should be assigned roles on one or more projects or domains.
- Create domain “domainf”:
- Create group “groupf”:
- Create role “rolef”:
- Grant role “rolef”to “groupf” in “domainf”:
- Create a mapping. A mapping is a list of rules. Mapping adds a set of rules to map federation attributes to Keystone users and/or groups. An Identity Provider has exactly one mapping specified per protocol. Mapping objects can be used multiple times by different combinations of Identity Provider and Protocol.
- Create an Identity Provider object in keystone, which represents the Identity Provider we will use to authenticate end users:
- Create a protocol. A protocol contains information that dictates which Mapping rules to use for an incoming request made by an IdP. An IdP may have multiple supported protocols.
- Create Service Provider object:
Get unscoped tokenTo start Federated authentication an user must access the dedicated URL with Identity Provider’s and Protocol’s identifiers stored within a protected URL.
Enhanced Client or Proxy (ECP) profile is available in the keystoneclient in the Identity service API.
Current script standard SAML2 authentication procedure to get unscoped token:
- get saml2 assertation
- post assertation data to the service provider
- get unscoped token
By using the previously returned token, the user can issue requests to the list projects and domains that are accessible.
- List projects a federated user can access: GET /OS-FEDERATION/projects
- List domains a federated user can access: GET /OS-FEDERATION/domains