Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 2. Federation using Red Hat OpenStack Platform and Red Hat Single Sign-On
Red Hat supports using Red Hat Single Sign-On as an identity provider for Red Hat OpenStack Platform (RHOSP) so that you can use the same federated solution for single sign-on in RHOSP, that exists in your wider organization.
2.1. Deploying Red Hat OpenStack Platform with Red Hat Single Sign-On
Use the enable-federation-openidc.yaml
environment file to deploy Red Hat OpenStack Platform (RHOSP) so that it can be integrated into your federated authentication solution.
Prerequisites
- You have installed Red Hat OpenStack Platform director.
- You have a Red Hat Single Sign-On (RH-SSO) federated authentication in your environment.
Procedure
Note your Identity service endpoint. The keystone endpoint is the FQDN value you assign the
CloudName
parameter in thecustom-domain.yaml
heat template, with the transport and port number included. The keystone endpoint has the following construction:https://<FQDN>:13000
NoteIf you do not deploy TLS, your Identity service API endpoint is http://<FQDN>:5000. Red Hat recommends deploying TLS with every production deployment of RHOSP.
Provide your SSO administrator with the following redirect URIs:
https://<FQDN>:13000/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso https://<FQDN>:13000/v3/auth/OS-FEDERATION/websso/openid
In response, your SSO administrator provides you with a
ClientID
and aClientSecret
.Copy the
enable-federation-openidc.yaml
heat template into the stack home directory:$ cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \ /home/stack/
Edit your copy of the
enable-federation-openidc.yaml
environment file. Below is a sample configuration:parameter_defaults: KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid 1 KeystoneOpenIdcClientId: <ClientID> 2 KeystoneOpenIdcClientSecret: <ClientSecret> 3 KeystoneOpenIdcCryptoPassphrase: openstack 4 KeystoneOpenIdcIdpName: kcipaIDP 5 KeystoneOpenIdcIntrospectionEndpoint: https://rh-sso.local.com/realms/master/protocol/openid-connect/token/introspect 6 KeystoneOpenIdcProviderMetadataUrl: https://rh-sso.local.com/realms/master/.well-known/openid-configuration 7 KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS 8 KeystoneOpenIdcResponseType: id_token 9 KeystoneTrustedDashboards: https://overcloud.redhat.local/dashboard/auth/websso/ 10 WebSSOChoices: [['OIDC', 'OpenID Connect']] 11 WebSSOIDPMapping: {'OIDC': ['kcipaIDP', 'openid']} 12 WebSSOInitialChoice: OIDC KeystoneFederationEnable: True KeystoneOpenIdcEnable: True KeystoneOpenIdcEnableOAuth: True WebSSOEnable: True
- 1
- A comma delimited list of acceptable methods for authentication.
- 2
- Your client ID to use for the OpenID Connect provider handshake. You must get this from your SSO administrator
- 3
- The client secret to use for the OpenID Connect provider handshake. You must get this from your SSO administrator after providing your redirect URLs.
- 4
- Choose a passphrase to use when encrypting data for OpenID Connect handshake.
- 5
- The name associated with the IdP in the Identity service (keystone). The value for this parameter is always kcipaIDP for RH-SSO.
- 6
- The Identity service introspection endpoint: https://{FQDN}/realms/<realm>/protocol/openid-connect/token/introspect
- 7
- The URL that points to your OpenID Connect provider metadata
- 8
- Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
- 9
- Response type to be expected from the OpenID Connect provider.
- 10
- A dashboard URL trusted for single sign-on, this can also be a comma delimited list.
- 11
- Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
- 12
- Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
Add the
enable-federation-openidc.yaml
to the stack with your other environment files and deploy the overcloud:(undercloud)$ openstack overcloud deploy --templates \ -e [your environment files] \ -e /home/stack/templates/enable-federation-openidc.yaml.yaml
2.2. Integrating Red Hat OpenStack Platform with Red Hat Single Sign-On
After you deploy Red Hat OpenStack Platform (RHOSP) with Red Hat Single Sign-On (RH-SSO) for federation, you must integrate RH-SSO with RHOSP.
Procedure
Create a federated domain:
$ openstack domain create <federated_domain_name>
Example output:
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | b493634c9dbf4546a2d1988af181d7c9 | | name | my_domain | | options | {} | | tags | [] | +-------------+----------------------------------+
Set up the federation identity provider:
$ openstack identity provider create --remote-id https://<rh-sso_fqdn>:9443/realms/<realm> --domain <domain_name> kcipaIDP
Replace
<rh-sso_fqdn>
with the fully qualified domain name for RH-SSO Replace<realm>
with the RH-SSO realm. The default realm ismaster
. Replace<federated_domain_name>
with the name of the federated domain that you created in step 1.Example output:
+-------------------+-----------------------------------------------------+ | Field | Value | +-------------------+-----------------------------------------------------+ | authorization_ttl | None | | description | None | | domain_id | b493634c9dbf4546a2d1988af181d7c9 | | enabled | True | | id | kcipaIDP | | remote_ids | https://rh-sso.fqdn.local:9443/realms/master | +-------------------+-----------------------------------------------------+
Create a mapping file that is unique to the identity needs of your cloud.
Example:
cat > mapping.json << EOF [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "<federated_domain_name>" 1 }, "name": "<federated_group_name>" 2 } } ], "remote": [ { "type": "OIDC-preferred_username" 3 } ] } ] EOF
- 1
- The <federated_domain_name> is the domain you created in step x.
- 2
- Choose a name for the
federated_group_name
. You will create this in a later step - 3
- You must use
OIDC-preferred_username
as the claim id for RH-SSOUse the mapping file to create the federation mapping rules for RHOSP. In the provided example, mapping rules created from the
mapping.json
file are namedIPAmap
:openstack mapping create --rules <file> <name>
For example:
$ openstack mapping create --rules mapping.json IPAmap
Create a federated group:
$ openstack group create --domain <federation_domain_name> <federation_group_name>
Create an Identity service (keystone) project:
$ openstack project create --domain <federation_domain> <federation_project_name>
Add the Identity service federation group to a role:
$ openstack role add --group <federation_group_name> --group-domain <federation_domain> --project <federation_project_name> --project-domain <federation_domain> member
Create the OpenID federation protocol:
$ openstack federation protocol create openid --mapping IPAmap --identity-provider kcipaIDP
2.3. Additional resources
For more information on Red Hat Singe Sign-On see the Getting Started Guide