diff options
author | Kristi Nikolla <knikolla@bu.edu> | 2017-07-15 10:16:18 -0400 |
---|---|---|
committer | Colleen Murphy <colleen.murphy@suse.com> | 2020-02-05 11:04:21 -0800 |
commit | 0e6c07e46fdfdd7662dd3eee7a110f72dda128e6 (patch) | |
tree | b94469ac45c16e47f1a8133f153fca9e30bbd9b2 | |
parent | 3907f65600c605ea39ec99346db860373522a0cb (diff) | |
download | keystone-0e6c07e46fdfdd7662dd3eee7a110f72dda128e6.tar.gz |
Added keystone identity provider installation to Devstack plugin
Devstack, alongside samltest, will now setup keystone as an idp.
bp devstack-plugin
Change-Id: I55b4e727404d910aa9b5a07b49b783799bc5f098
(cherry picked from commit 1e0a9684937038df59931363c4e1560edc176473)
-rw-r--r-- | devstack/files/federation/shib_apache_handler.txt | 12 | ||||
-rw-r--r-- | devstack/files/federation/shibboleth2.xml | 11 | ||||
-rw-r--r-- | devstack/lib/federation.sh | 63 |
3 files changed, 61 insertions, 25 deletions
diff --git a/devstack/files/federation/shib_apache_handler.txt b/devstack/files/federation/shib_apache_handler.txt index ebf53ada6..e863cb62f 100644 --- a/devstack/files/federation/shib_apache_handler.txt +++ b/devstack/files/federation/shib_apache_handler.txt @@ -14,3 +14,15 @@ ShibRequireAll On </IfVersion> </Location> + +<Location /identity/v3/OS-FEDERATION/identity_providers/keystone/protocols/mapped/auth> + ShibRequestSetting requireSession 1 + AuthType shibboleth + ShibExportAssertion Off + Require valid-user + + <IfVersion < 2.4> + ShibRequireSession On + ShibRequireAll On + </IfVersion> +</Location> diff --git a/devstack/files/federation/shibboleth2.xml b/devstack/files/federation/shibboleth2.xml index 65b8667a5..cecb50b5e 100644 --- a/devstack/files/federation/shibboleth2.xml +++ b/devstack/files/federation/shibboleth2.xml @@ -19,9 +19,8 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions --> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false"> - <!-- Triggers a login request directly to the TestShib IdP. --> - <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO --> - <SSO entityID="%IDP_REMOTE_ID%" ECP="true"> + <!-- Without a Discovery Protocol this really only supports ECP. --> + <SSO ECP="true"> SAML2 SAML1 </SSO> @@ -53,9 +52,9 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> - <!-- Loads and trusts a metadata file that describes only the Testshib IdP and how to communicate with it. --> - <MetadataProvider type="XML" uri="%IDP_METADATA_URL%" - backingFilePath="metadata.xml" reloadInterval="180000" /> + <!-- Loads and trusts a metadata files that describe the IdPs and how to communicate with them. --> + <MetadataProvider type="XML" uri="%IDP_METADATA_URL%" /> + <MetadataProvider type="XML" uri="%KEYSTONE_METADATA_URL%" /> <!-- Attribute and trust options you shouldn't need to change. --> <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/> diff --git a/devstack/lib/federation.sh b/devstack/lib/federation.sh index eec204ba8..7497859be 100644 --- a/devstack/lib/federation.sh +++ b/devstack/lib/federation.sh @@ -23,6 +23,8 @@ IDP_REMOTE_ID=${IDP_REMOTE_ID:-https://samltest.id/saml/idp} IDP_ECP_URL=${IDP_ECP_URL:-https://samltest.id/idp/profile/SAML2/SOAP/ECP} IDP_METADATA_URL=${IDP_METADATA_URL:-https://samltest.id/saml/idp} +KEYSTONE_IDP_METADATA_URL=${KEYSTONE_IDP_METADATA_URL:-"http://$HOST_IP/identity/v3/OS-FEDERATION/saml2/metadata"} + MAPPING_REMOTE_TYPE=${MAPPING_REMOTE_TYPE:-uid} MAPPING_USER_NAME=${MAPPING_USER_NAME:-"{0}"} @@ -57,9 +59,24 @@ function configure_apache { restart_apache_server } +function configure_shibboleth { + # Copy a templated /etc/shibboleth/shibboleth2.xml file... + sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML + # ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders + sudo sed -i -e " + s|%HOST_IP%|$HOST_IP|g; + s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g; + s|%KEYSTONE_METADATA_URL%|$KEYSTONE_IDP_METADATA_URL|g; + " $SHIBBOLETH_XML + + sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP + + restart_service shibd +} + function install_federation { if is_ubuntu; then - install_package libapache2-mod-shib2 + install_package libapache2-mod-shib2 xmlsec1 # Create a new keypair for Shibboleth sudo shib-keygen -f @@ -75,7 +92,7 @@ function install_federation { | sudo tee /etc/yum.repos.d/shibboleth.repo >/dev/null # Install Shibboleth - install_package shibboleth + install_package shibboleth xmlsec1-openssl # Create a new keypair for Shibboleth sudo /etc/shibboleth/keygen.sh -f -o /etc/shibboleth @@ -94,6 +111,8 @@ function install_federation { else echo "Skipping installation of shibboleth for non ubuntu nor fedora nor suse host" fi + + pip_install pysaml2 } function upload_sp_metadata_to_samltest { @@ -110,32 +129,35 @@ function upload_sp_metadata_to_samltest { } function configure_federation { - configure_apache - - # Copy a templated /etc/shibboleth/shibboleth2.xml file... - sudo cp $FEDERATION_FILES/shibboleth2.xml $SHIBBOLETH_XML - # ... and replace the %HOST_IP%, %IDP_REMOTE_ID%,and %IDP_METADATA_URL% placeholders - sudo sed -i -e " - s|%HOST_IP%|$HOST_IP|g; - s|%IDP_REMOTE_ID%|$IDP_REMOTE_ID|g; - s|%IDP_METADATA_URL%|$IDP_METADATA_URL|g; - " $SHIBBOLETH_XML + # Specify the header that contains information about the identity provider + iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider" - sudo cp "$FEDERATION_FILES/attribute-map.xml" $ATTRIBUTE_MAP + # Configure certificates and keys for Keystone as an IdP + if is_service_enabled tls-proxy; then + iniset $KEYSTONE_CONF saml certfile "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" + iniset $KEYSTONE_CONF saml keyfile "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" + else + openssl genrsa -out /etc/keystone/ca.key 4096 + openssl req -new -x509 -days 1826 -key /etc/keystone/ca.key -out /etc/keystone/ca.crt \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" - restart_service shibd - # Enable the mapped auth method in /etc/keystone.conf - iniset $KEYSTONE_CONF auth methods "external,password,token,mapped" + iniset $KEYSTONE_CONF saml certfile "/etc/keystone/ca.crt" + iniset $KEYSTONE_CONF saml keyfile "/etc/keystone/ca.key" + fi - # Specify the header that contains information about the identity provider - iniset $KEYSTONE_CONF mapped remote_id_attribute "Shib-Identity-Provider" + iniset $KEYSTONE_CONF saml idp_entity_id "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/idp" + iniset $KEYSTONE_CONF saml idp_sso_endpoint "$KEYSTONE_AUTH_URI/v3/OS-FEDERATION/saml2/sso" + iniset $KEYSTONE_CONF saml idp_metadata_path "/etc/keystone/keystone_idp_metadata.xml" if [[ "$WSGI_MODE" == "uwsgi" ]]; then restart_service "devstack@keystone" fi - restart_apache_server + keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml + + configure_shibboleth + configure_apache # TODO(knikolla): We should not be relying on an external service. This # will be removed once we have an idp deployed during devstack install. @@ -155,6 +177,9 @@ function register_federation { } function configure_tests_settings { + # Enable the mapped auth method in /etc/keystone.conf + iniset $KEYSTONE_CONF auth methods "external,password,token,mapped" + # Here we set any settings that might be need by the fed_scenario set of tests iniset $TEMPEST_CONFIG identity-feature-enabled federation True |