Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Federation using Red Hat OpenStack Platform and Active Directory Federation Services

Red Hat supports using Microsoft Active Directory Federation Services (AD FS) as an identity provider for Red Hat OpenStack Platform (RHOSP) so that you can use the same federated solution for single sign-on in RHOSP, that exists in your wider organization.

Use the enable-federation-openidc.yaml environment file to deploy Red Hat OpenStack Platform (RHOSP) so that it can be integrated into your federated authentication solution. Federation allows users to log in to the OpenStack Dashboard using single sign-on (SSO). You must use the OpenStack Dashboard for SSO.

Prerequisites

  • You have installed Red Hat OpenStack Platform director.
  • You have Active Directory(c) for federation configured in your environment.

Procedure

  1. Note your keystone endpoint. The keystone endpoint is the FQDN value you assign the CloudName parameter in the custom-domain.yaml heat template, with the transport and port number included. The keystone endpoint has the following construction: 

    https://<FQDN>:13000
    Copy to Clipboard Toggle word wrap
    Note

    If you do not deploy TLS, your keystone endpoint is http://<FQDN>:5000. Red Hat recommends deploying TLS with every production deployment of RHOSP.

  2. Provide your SSO administrator with the following redirect URIs:

    Redirect URIs: 

    https://<FQDN>:13000/v3/auth/OS-FEDERATION/identity_providers/adfsIDP/protocols/openid/websso
https://<FQDN>:13000/v3/auth/OS-FEDERATION/websso/openid
    Copy to Clipboard Toggle word wrap
  3. In response, your SSO administrator provides you with a ClientID and a ClientSecret.

  4. Copy the enable-federation-openidc.yaml yaml file into the stack home directory: 

    cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \
/home/stack/
    Copy to Clipboard Toggle word wrap

  5. Edit your copy of the enable-federation-openidc.yaml environment file. Below is a sample configuration: 

    parameter_defaults:
  KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid
    1 
    
  KeystoneOpenIdcClientId: <ClientID>
    2 
    
  KeystoneOpenIdcClientSecret: <ClientSecret>
    3 
    
  KeystoneOpenIdcCryptoPassphrase: openstack
    4 
    
  KeystoneOpenIdcIdpName: adfsIdP
    5 
    
  KeystoneOpenIdcIntrospectionEndpoint: https://adfs.local.com/adfs/openid-connect/token/introspect
    6 
    
  KeystoneOpenIdcProviderMetadataUrl: https://adfs.local.com/adfs/.well-known/openid-configuration
    7 
    
  KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS
    8 
    
  KeystoneOpenIdcResponseType: code
    9 
    
  KeystoneTrustedDashboards: https://overcloud.redhat.local/dashboard/auth/websso/
    10 
    
  WebSSOChoices: [['OIDC', 'OpenID Connect']]
    11 
    
  WebSSOIDPMapping: {'OIDC': ['adfsIdP', 'openid']}
    12 
    
  WebSSOInitialChoice: OIDC
  KeystoneFederationEnable: True
  KeystoneOpenIdcEnable: True
  KeystoneOpenIdcEnableOAuth: True
  WebSSOEnable: True
    Copy to Clipboard Toggle word wrap
    1
    A comma delimited list of acceptable methods for authentication.
    2
    Your client ID to use for the OpenID Connect provider handshake. You must get this from your SSO administrator
    3
    The client secret to use for the OpenID Connect provider handshake. You must get this from your SSO administrator after providing your redirect URLs.
    4
    Choose a passphrase to use when encrypting data for OpenID Connect handshake.
    5
    The name associated with the IdP in the Identity service (keystone). The value for this parameter is always adfsIDP for Active Directory Federation Services.
    6
    The Identity service introspection endpoint: https://{FQDN}/realms/<realm>/protocol/openid-connect/token/introspect
    7
    The URL that points to your OpenID Connect provider metadata
    8
    Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
    9
    Response type to be expected from the OpenID Connect provider.
    10
    A dashboard URL trusted for single sign-on, this can also be a comma delimited list.
    11
    Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
    12
    Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.

  6. Add the enable-federation-openidc.yaml to the stack with your other environment files and deploy the overcloud: 

    (undercloud)$ openstack overcloud deploy --templates \
-e [your environment files] \
-e /home/stack/templates/enable-federation-openidc.yaml
    Copy to Clipboard Toggle word wrap

After you deploy Red Hat OpenStack Platform (RHOSP) with an Active Directory Federation Services (AD FS), you must complete the following steps to integrate the Identity provider (IdP) with the service provider (RHOSP).

Procedure

  1. Create a federated domain: 

    openstack domain create <federated_domain_name>
    Copy to Clipboard Toggle word wrap

    Example output: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                              	 |
| enabled     | True                         	 |
| id          | b493634c9dbf4546a2d1988af181d7c9 |
| name        | my_domain                    	 |
| options     | {}                           	 |
| tags        | []                           	 |
+-------------+----------------------------------+
    Copy to Clipboard Toggle word wrap

  2. Set up the federation identity provider. 

    openstack identity provider create --remote-id https://<adfs_fqdn>:9443/adfs --domain <domain_name> adfsIdP
    Copy to Clipboard Toggle word wrap

    Replace <adfs_fqdn> with the fully qualified domain name Active Directory Federation Services Replace <federated_domain_name> with the name of the federated domain that you created in step 1.

    Example output: 

    +-------------------+-----------------------------------------------------+
| Field             | Value                                               |
+-------------------+-----------------------------------------------------+
| authorization_ttl | None                                                |
| description       | None                                                |
| domain_id         | b493634c9dbf4546a2d1988af181d7c9                    |
| enabled           | True                                                |
| id                | adfsIdP                                             |
| remote_ids        | https:/adfs.fqdn.local/adfs/                        |
+-------------------+-----------------------------------------------------+
    Copy to Clipboard Toggle word wrap

  3. Creating a mapping file. The mapping file will be unique to the identity needs of your cloud.

    Example: 

 cat > mapping.json << EOF
[
    {
        "local": [
            {
                "user": {
                 "name": "{0}"
                },
                "group": {
                    "domain": {
                     "name": "<federated_domain>"
1 

                    },
                    "name": "<federated_group_name>"
2 

                }
            }
        ],
        "remote": [
            {
                "type": "OIDC-upn"
3 

            }
        ]
    }
]
EOF
Copy to Clipboard Toggle word wrap
1
The federated_domain is the domain you created in a previous step.
2
Choose a name for the federated_group_name. You will create this in a later step.
3
You must use `OIDC-upn`as the claim id for AD FS.

  1. Use the mapping file to create the federation mapping rules for OpenStack. In the provided example, mapping rules created from the mapping.json file are called ADmap: 

    openstack mapping create --rules <file> <name>
    Copy to Clipboard Toggle word wrap

    For example: 

$ openstack mapping create --rules mapping.json ADmap
Copy to Clipboard Toggle word wrap

  1. Create a federated group: 

    openstack group create --domain <federation_domain> <federation_group_name>
    Copy to Clipboard Toggle word wrap

  2. Create an Identity service (keystone) project: 

    openstack project create --domain <federation_domain> <federation_project_name>
    Copy to Clipboard Toggle word wrap
  3. Add the Identity service federation group to a role. 
openstack role add --group <federation_group_name> --group-domain <federation_domain> --project <federation_project_name> --project-domain <federation_domain> member
Copy to Clipboard Toggle word wrap

  1. Create the OpenID federation protocol: 

    openstack federation protocol create openid --mapping ADmap --identity-provider adfsIdP
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat