Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 2. Federation using Red Hat OpenStack Platform and Red Hat Single Sign-On

download PDF

Red Hat supports using Red Hat Single Sign-On as an identity provider for Red Hat OpenStack Platform (RHOSP) so that you can use the same federated solution for single sign-on in RHOSP, that exists in your wider organization.

2.1. Deploying Red Hat OpenStack Platform with Red Hat Single Sign-On

Use the enable-federation-openidc.yaml environment file to deploy Red Hat OpenStack Platform (RHOSP) so that it can be integrated into your federated authentication solution.

Prerequisites

  • You have installed Red Hat OpenStack Platform director.
  • You have a Red Hat Single Sign-On (RH-SSO) federated authentication in your environment.

Procedure

  1. Note your Identity service endpoint. The keystone endpoint is the FQDN value you assign the CloudName parameter in the custom-domain.yaml heat template, with the transport and port number included. The keystone endpoint has the following construction: 

    https://<FQDN>:13000
    Note

    If you do not deploy TLS, your Identity service API endpoint is http://<FQDN>:5000. Red Hat recommends deploying TLS with every production deployment of RHOSP.

  2. Provide your SSO administrator with the following redirect URIs: 

    https://<FQDN>:13000/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso
https://<FQDN>:13000/v3/auth/OS-FEDERATION/websso/openid

    In response, your SSO administrator provides you with a ClientID and a ClientSecret.

  3. Copy the enable-federation-openidc.yaml heat template into the stack home directory: 

    $ cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \
/home/stack/

  4. Edit your copy of the enable-federation-openidc.yaml environment file. Below is a sample configuration: 

    parameter_defaults:
  KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid 1
  KeystoneOpenIdcClientId: <ClientID> 2
  KeystoneOpenIdcClientSecret: <ClientSecret> 3
  KeystoneOpenIdcCryptoPassphrase: openstack 4
  KeystoneOpenIdcIdpName: kcipaIDP 5
  KeystoneOpenIdcIntrospectionEndpoint: https://rh-sso.local.com/realms/master/protocol/openid-connect/token/introspect 6
  KeystoneOpenIdcProviderMetadataUrl: https://rh-sso.local.com/realms/master/.well-known/openid-configuration 7
  KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS 8
  KeystoneOpenIdcResponseType: id_token 9
  KeystoneTrustedDashboards: https://overcloud.redhat.local/dashboard/auth/websso/ 10
  WebSSOChoices: [['OIDC', 'OpenID Connect']] 11
  WebSSOIDPMapping: {'OIDC': ['kcipaIDP', 'openid']} 12
  WebSSOInitialChoice: OIDC
  KeystoneFederationEnable: True
  KeystoneOpenIdcEnable: True
  KeystoneOpenIdcEnableOAuth: True
  WebSSOEnable: True
    1
    A comma delimited list of acceptable methods for authentication.
    2
    Your client ID to use for the OpenID Connect provider handshake. You must get this from your SSO administrator
    3
    The client secret to use for the OpenID Connect provider handshake. You must get this from your SSO administrator after providing your redirect URLs.
    4
    Choose a passphrase to use when encrypting data for OpenID Connect handshake.
    5
    The name associated with the IdP in the Identity service (keystone). The value for this parameter is always kcipaIDP for RH-SSO.
    6
    The Identity service introspection endpoint: https://{FQDN}/realms/<realm>/protocol/openid-connect/token/introspect
    7
    The URL that points to your OpenID Connect provider metadata
    8
    Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
    9
    Response type to be expected from the OpenID Connect provider.
    10
    A dashboard URL trusted for single sign-on, this can also be a comma delimited list.
    11
    Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
    12
    Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.

  5. Add the enable-federation-openidc.yaml to the stack with your other environment files and deploy the overcloud: 

    (undercloud)$ openstack overcloud deploy --templates \
-e [your environment files] \
-e /home/stack/templates/enable-federation-openidc.yaml.yaml

2.2. Integrating Red Hat OpenStack Platform with Red Hat Single Sign-On

After you deploy Red Hat OpenStack Platform (RHOSP) with Red Hat Single Sign-On (RH-SSO) for federation, you must integrate RH-SSO with RHOSP.

Procedure

  1. Create a federated domain: 

    $ openstack domain create <federated_domain_name>

    Example output: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| enabled     | True                             |
| id          | b493634c9dbf4546a2d1988af181d7c9 |
| name        | my_domain                        |
| options     | {}                               |
| tags        | []                               |
+-------------+----------------------------------+

  2. Set up the federation identity provider: 

    $ openstack identity provider create --remote-id https://<rh-sso_fqdn>:9443/realms/<realm> --domain <domain_name> kcipaIDP

    Replace <rh-sso_fqdn> with the fully qualified domain name for RH-SSO Replace <realm> with the RH-SSO realm. The default realm is master. Replace <federated_domain_name> with the name of the federated domain that you created in step 1.

    Example output: 

    +-------------------+-----------------------------------------------------+
| Field         	| Value                                               |
+-------------------+-----------------------------------------------------+
| authorization_ttl | None                                                |
| description   	| None                                                |
| domain_id     	| b493634c9dbf4546a2d1988af181d7c9                    |
| enabled       	| True                                                |
| id            	| kcipaIDP                                            |
| remote_ids    	| https://rh-sso.fqdn.local:9443/realms/master        |
+-------------------+-----------------------------------------------------+

  3. Create a mapping file that is unique to the identity needs of your cloud.

    Example: 

 cat > mapping.json << EOF
[
    {
        "local": [
            {
                "user": {
                 "name": "{0}"
                },
                "group": {
                    "domain": {
                     "name": "<federated_domain_name>" 1
                    },
                    "name": "<federated_group_name>" 2
                }
            }
        ],
        "remote": [
            {
                "type": "OIDC-preferred_username" 3
            }
        ]
    }
]
EOF
1
The <federated_domain_name> is the domain you created in step x.
2
Choose a name for the federated_group_name. You will create this in a later step
3
You must use OIDC-preferred_username as the claim id for RH-SSO

  1. Use the mapping file to create the federation mapping rules for RHOSP. In the provided example, mapping rules created from the mapping.json file are named IPAmap: 

    openstack mapping create --rules <file> <name>

    For example: 

    $ openstack mapping create --rules mapping.json IPAmap

  2. Create a federated group: 

    $ openstack group create --domain <federation_domain_name> <federation_group_name>

  3. Create an Identity service (keystone) project: 

    $ openstack project create --domain <federation_domain> <federation_project_name>

  4. Add the Identity service federation group to a role: 

    $ openstack role add --group <federation_group_name> --group-domain <federation_domain> --project <federation_project_name> --project-domain <federation_domain> member

  5. Create the OpenID federation protocol: 

    $ openstack federation protocol create openid --mapping IPAmap --identity-provider kcipaIDP

2.3. Additional resources

For more information on Red Hat Singe Sign-On see the Getting Started Guide

Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.