Chapter 3. Federation using Red Hat OpenStack Platform and other vendors

Procedure

1. Provide your SSO administrator with appropriate redirect URIs. In response, your SSO administrator provides you with a ClientID and a Client secret.

2. Copy the enable-federation-openidc.yaml environment file heat template to the /home/stack/templates/ directory.

   $ cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \
   /home/stack/templates

3. Modify the enable-federation-openidc.yaml environment file to meet the requirements of your federation solution.

   1. The following are parameters that are commonly required for the configuration of Federation:

      KeystoneAuthMethods

      A comma delimited list of acceptable methods for authentication.

      KeystoneOpenIdcClientId

      Your client ID to use for the OpenID Connect provider handshake. You must get this from your SSO administrator.

      KeystoneOpenIdcClientSecret

      The client secret to use for the OpenID Connect provider handshake. You must get this from your SSO administrator after providing your redirect URLs.

      KeystoneOpenIdcCryptoPassphrase

      Choose a passphrase to use when encrypting data for OpenID Connect handshake.

      KeystoneOpenIdcIdpName

      The name associated with the IdP in the Identity service (keystone).

      KeystoneOpenIdcIntrospectionEndpoint

      The Identity service introspection endpoint: https://<fqdn>/realms/<realm>/protocol/openid-connect/token/introspect

      KeystoneOpenIdcProviderMetadataUrl

      The URL that points to your OpenID Connect provider metadata.

      KeystoneOpenIdcRemoteIdAttribute

      Attribute to be used to obtain the entity ID of the Identity Provider from the environment.

      KeystoneOpenIdcResponseType

      Response type to be expected from the OpenID Connect provider.

      KeystoneTrustedDashboards

      A dashboard URL trusted for single sign-on, this can also be a comma delimited list.

      WebSSOChoices

      Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.

      WebSSOIDPMapping

      Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.

   2. You can use the following three parameters to customize the interaction between RHOSP and your federation solution.

      parameter_defaults:
        KeystoneOpenIdcClaimDelimiter: ';'
        KeystoneOpenIdcPassUserInfoAs: 'claims'
        KeystoneOpenIdcPassClaimsAs: 'both'
        ...

      • Use the KeystoneOpenIdcClaimDelimiter parameter to set the delimiter when setting multivalue claims. The default delimiter is a semi-colon.
      • Use the KeystoneOpenIdcPassUserInfoAs parameter to define the way in which the claims, once resolved, are passed to the federation application. Allowed values are claims, json, and jwt.

      • Use the KeystoneOpenIdcPassClaimsAs parameter to define the way in which the claims and tokens are passed to the application environment. The options are:

        • none: Claims and tokens are not are passed to the application.
        • environment: Claims and tokens are passed as environment variables.
        • headers: Claims and tokens are passed in headers.

        • both: Claims and headers are passed as both headers and variables. This is the default.

          Note

          For a sample configuration of a supported Federation configuration, see Deploying Red Hat OpenStack Platform with single sign-on.

4. Add the enable-federation-openidc.yaml to the stack with your other environment files and deploy the overcloud:

   (undercloud)$ openstack overcloud deploy --templates \
   -e [your environment files] \
   -e /home/stack/templates/enable-federation-openidc.yaml

Procedure

1. Create a federated domain:

   openstack domain create <federated_domain_name>

2. Set up the federation identity provider.

   openstack identity provider create \
   --remote-id <url> --domain <domain_name> <IdpName>

   • Replace <url> with the remote id required by your identity provider.
   • Replace <domain_name> with the name of the federated domain that you created in step 1.
   • Replace <IdpName> with the name associated with the IdP in the Identity service (keystone).

3. Create a mapping file. The mapping file is unique to the identity needs of your cloud:

   cat > mapping.json << EOF
   [
       {
           "local": [
               {
                   "user": {
                    "name": "{0}"
                   },
                   "group": {
                       "domain": {
                        "name": "<federated_domain>"
                       },
                       "name": "<federated_group_name>"
                   }
               }
           ],
           "remote": [
               {
                   "type": "<idp_claim_id>"
               }
           ]
       }
   ]
   EOF

   • Replace federated_domain with the domain you created in a previous step.
   • Replace <federated_group_name> with a chosen name. You will create this in a later step.
   • Replace <idp-claim-id> with the claim ID required for your identity provider.

4. Use the mapping file to create the federation mapping rules for OpenStack. In the provided example, mapping rules created from the mapping.json file are called Idpmap:

   openstack mapping create --rules <file> <name>

   For example:

   openstack mapping create --rules mapping.json IdpMap

5. Create a federated group:

   openstack group create --domain <federation_domain> <federation_group_name>

6. Create an Identity service (keystone) project

   openstack project create --domain <federation_domain> <federation_project_name>

7. Add the Identity service federation group to a role:

   openstack role add --group <federation_group_name> \
   --group-domain <federation_domain> \
   --project <federation_project_name> \
   --project-domain <federation_domain> member

8. Create the OpenID federation protocol:

   openstack federation protocol create openid \
   --mapping IdpMap --identity-provider <identityProvider>