Chapter 2. Federation using Red Hat OpenStack Platform and Red Hat Single Sign-On
Red Hat supports using Red Hat Single Sign-On as an identity provider for Red Hat OpenStack Platform (RHOSP) so that you can use the same federated solution for single sign-on in RHOSP, that exists in your wider organization.
2.1. Deploying Red Hat OpenStack Platform with Red Hat Single Sign-On
Use the enable-federation-openidc.yaml
environment file to deploy Red Hat OpenStack Platform (RHOSP) so that it can be integrated into your federated authentication solution. Federation allows users to log in to the OpenStack Dashboard using single sign-on (SSO). You must use the OpenStack Dashboard for SSO.
Prerequisites
- You have installed Red Hat OpenStack Platform director.
- You have a Red Hat Single Sign-On (RH-SSO) federated authentication in your environment.
Procedure
Note your Identity service endpoint. The keystone endpoint is the FQDN value you assign the
CloudName
parameter in thecustom-domain.yaml
heat template, with the transport and port number included. The keystone endpoint has the following construction:https://<FQDN>:13000
NoteIf you do not deploy TLS, your Identity service API endpoint is http://<FQDN>:5000. Red Hat recommends deploying TLS with every production deployment of RHOSP.
Provide your SSO administrator with the following redirect URIs:
https://<FQDN>:13000/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso https://<FQDN>:13000/v3/auth/OS-FEDERATION/websso/openid
In response, your SSO administrator provides you with a
ClientID
and aClientSecret
.Copy the
enable-federation-openidc.yaml
heat template into the stack home directory:$ cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \ /home/stack/
Edit your copy of the
enable-federation-openidc.yaml
environment file. Below is a sample configuration:parameter_defaults: KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid 1 KeystoneOpenIdcClientId: <ClientID> 2 KeystoneOpenIdcClientSecret: <ClientSecret> 3 KeystoneOpenIdcCryptoPassphrase: openstack 4 KeystoneOpenIdcIdpName: kcipaIDP 5 KeystoneOpenIdcIntrospectionEndpoint: https://rh-sso.local.com/realms/master/protocol/openid-connect/token/introspect 6 KeystoneOpenIdcProviderMetadataUrl: https://rh-sso.local.com/realms/master/.well-known/openid-configuration 7 KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS 8 KeystoneOpenIdcResponseType: id_token 9 KeystoneTrustedDashboards: https://overcloud.redhat.local/dashboard/auth/websso/ 10 WebSSOChoices: [['OIDC', 'OpenID Connect']] 11 WebSSOIDPMapping: {'OIDC': ['kcipaIDP', 'openid']} 12 WebSSOInitialChoice: OIDC KeystoneFederationEnable: True KeystoneOpenIdcEnable: True KeystoneOpenIdcEnableOAuth: True WebSSOEnable: True
- 1
- A comma delimited list of acceptable methods for authentication.
- 2
- Your client ID to use for the OpenID Connect provider handshake. You must get this from your SSO administrator
- 3
- The client secret to use for the OpenID Connect provider handshake. You must get this from your SSO administrator after providing your redirect URLs.
- 4
- Choose a passphrase to use when encrypting data for OpenID Connect handshake.
- 5
- The name associated with the IdP in the Identity service (keystone). The value for this parameter is always kcipaIDP for RH-SSO.
- 6
- The Identity service introspection endpoint: https://{FQDN}/realms/<realm>/protocol/openid-connect/token/introspect
- 7
- The URL that points to your OpenID Connect provider metadata
- 8
- Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
- 9
- Response type to be expected from the OpenID Connect provider.
- 10
- A dashboard URL trusted for single sign-on, this can also be a comma delimited list.
- 11
- Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
- 12
- Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
Add the
enable-federation-openidc.yaml
to the stack with your other environment files and deploy the overcloud:(undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/enable-federation-openidc.yaml.yaml
2.2. Integrating Red Hat OpenStack Platform with Red Hat Single Sign-On
After you deploy Red Hat OpenStack Platform (RHOSP) with Red Hat Single Sign-On (RH-SSO) for federation, you must integrate RH-SSO with RHOSP.
Procedure
Create a federated domain:
$ openstack domain create <federated_domain_name>
Example output:
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | b493634c9dbf4546a2d1988af181d7c9 | | name | my_domain | | options | {} | | tags | [] | +-------------+----------------------------------+
Set up the federation identity provider:
$ openstack identity provider create --remote-id https://<rh-sso_fqdn>:9443/realms/<realm> --domain <domain_name> kcipaIDP
Replace
<rh-sso_fqdn>
with the fully qualified domain name for RH-SSO Replace<realm>
with the RH-SSO realm. The default realm ismaster
. Replace<federated_domain_name>
with the name of the federated domain that you created in step 1.Example output:
+-------------------+-----------------------------------------------------+ | Field | Value | +-------------------+-----------------------------------------------------+ | authorization_ttl | None | | description | None | | domain_id | b493634c9dbf4546a2d1988af181d7c9 | | enabled | True | | id | kcipaIDP | | remote_ids | https://rh-sso.fqdn.local:9443/realms/master | +-------------------+-----------------------------------------------------+
Create a mapping file that is unique to the identity needs of your cloud.
Example:
cat > mapping.json << EOF [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "<federated_domain_name>" 1 }, "name": "<federated_group_name>" 2 } } ], "remote": [ { "type": "OIDC-preferred_username" 3 } ] } ] EOF
- 1
- The <federated_domain_name> is the domain you created in step x.
- 2
- Choose a name for the
federated_group_name
. You will create this in a later step - 3
- You must use
OIDC-preferred_username
as the claim id for RH-SSOUse the mapping file to create the federation mapping rules for RHOSP. In the provided example, mapping rules created from the
mapping.json
file are namedIPAmap
:openstack mapping create --rules <file> <name>
For example:
$ openstack mapping create --rules mapping.json IPAmap
Create a federated group:
$ openstack group create --domain <federation_domain_name> <federation_group_name>
Create an Identity service (keystone) project:
$ openstack project create --domain <federation_domain> <federation_project_name>
Add the Identity service federation group to a role:
$ openstack role add --group <federation_group_name> --group-domain <federation_domain> --project <federation_project_name> --project-domain <federation_domain> member
Create the OpenID federation protocol:
$ openstack federation protocol create openid --mapping IPAmap --identity-provider kcipaIDP
2.3. Additional resources
For more information on Red Hat Singe Sign-On see the Getting Started Guide