Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 4. Federation using Red Hat OpenStack Platform and other vendors

Red Hat does not provide direct support for federation when integrated with vendors outside of Red Hat’s single sign-on (SSO) and Active Directory Federation Services (AD FS). If you would like to use another vendor, please contact Red Hat for a support exception.

4.1. Customizing federation for other vendors
Copiar o link

Other vendors may have different ways of delimiting an OpenIDC claim, or of formatting user information, for example. These are features that can be adjusted in heat.

Prerequisites

  • You have installed Red Hat OpenStack Platform (RHOSP) director
  • You have a federation solution available in your environment
  • RHOSP is at version 17.1.3 or higher

Procedure

  1. Provide your SSO administrator with appropriate redirect URIs. In response, your SSO administrator provides you with a ClientID and a Client secret.

  2. Copy the enable-federation-openidc.yaml environment file heat template to the /home/stack/templates/ directory. 

    $ cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \
/home/stack/templates
    Copy to Clipboard Toggle word wrap

  3. Modify the enable-federation-openidc.yaml environment file to meet the requirements of your federation solution.

    1. The following are parameters that are commonly required for the configuration of Federation:

      KeystoneAuthMethods
      A comma delimited list of acceptable methods for authentication.
      KeystoneOpenIdcClientId
      Your client ID to use for the OpenID Connect provider handshake. You must get this from your SSO administrator.
      KeystoneOpenIdcClientSecret
      The client secret to use for the OpenID Connect provider handshake. You must get this from your SSO administrator after providing your redirect URLs.
      KeystoneOpenIdcCryptoPassphrase
      Choose a passphrase to use when encrypting data for OpenID Connect handshake.
      KeystoneOpenIdcIdpName
      The name associated with the IdP in the Identity service (keystone).
      KeystoneOpenIdcIntrospectionEndpoint
      The Identity service introspection endpoint: https://<fqdn>/realms/<realm>/protocol/openid-connect/token/introspect
      KeystoneOpenIdcProviderMetadataUrl
      The URL that points to your OpenID Connect provider metadata.
      KeystoneOpenIdcRemoteIdAttribute
      Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
      KeystoneOpenIdcResponseType
      Response type to be expected from the OpenID Connect provider.
      KeystoneTrustedDashboards
      A dashboard URL trusted for single sign-on, this can also be a comma delimited list.
      WebSSOChoices
      Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
      WebSSOIDPMapping
      Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.

    2. You can use the following three parameters to customize the interaction between RHOSP and your federation solution. 

      parameter_defaults:
  KeystoneOpenIdcClaimDelimiter: ';'
      1 
      
  KeystoneOpenIdcPassUserInfoAs: 'claims'
      2 
      
  KeystoneOpenIdcPassClaimsAs: 'both'
      3 
      
  ...
      Copy to Clipboard Toggle word wrap
      1
      Use the KeystoneOpenIdcClaimDelimiter parameter to set the delimiter when setting multivalue claims. The default delimiter is a semi-colon.
      2
      Use the KeystoneOpenIdcPassUserInfoAs parameter to define the way in which the claims, once resolved, are passed to the federation application. Allowed values are claims, json, and jwt.
      3
      Use the KeystoneOpenIdcPassClaimsAs parameter to define the way in which the claims and tokens are passed to the application environment. The options are:
      • none: Claims and tokens are not are passed to the application.
      • environment: Claims and tokens are passed as environment variables.
      • headers: Claims and tokens are passed in headers.

      • both: Claims and headers are passed as both headers and variables. This is the default.

        Note

        For a sample configuration of a supported Federation configuration, see Deploying Red Hat OpenStack Platform with Red Hat Single Sign-on.

  4. Add the enable-federation-openidc.yaml to the stack with your other environment files and deploy the overcloud: 

    (undercloud)$ openstack overcloud deploy --templates \
-e [your environment files] \
-e /home/stack/templates/enable-federation-openidc.yaml
    Copy to Clipboard Toggle word wrap

4.2. Integrating RHOSP with a third party provider
Copiar o link

After you deploy Red Hat OpenStack Platform (RHOSP) with a third-party identity provider, you must complete the following steps to integrate the Identity provider (IdP) with the service provider (RHOSP).

Procedure

  1. Create a federated domain: 

    openstack domain create <federated_domain_name>
    Copy to Clipboard Toggle word wrap

  2. Set up the federation identity provider. 

    openstack identity provider create \
--remote-id <url> --domain <domain_name> <IdpName>
    Copy to Clipboard Toggle word wrap
    • Replace <url> with the remote id required by your identity provider.
    • Replace <domain_name> with the name of the federated domain that you created in step 1.
    • Replace <IdpName> with the name associated with the IdP in the Identity service (keystone).

  3. Create a mapping file. The mapping file is unique to the identity needs of your cloud: 

    cat > mapping.json << EOF
[
    {
        "local": [
            {
                "user": {
                 "name": "{0}"
                },
                "group": {
                    "domain": {
                     "name": "<federated_domain>"
    1 
    
                    },
                    "name": "<federated_group_name>"
    2 
    
                }
            }
        ],
        "remote": [
            {
                "type": "<idp_claim_id>"
    3 
    
            }
        ]
    }
]
EOF
    Copy to Clipboard Toggle word wrap
    1
    Replace federated_domain with the domain you created in a previous step.
    2
    Replace <federated_group_name> with a chosen name. You will create this in a later step.
    3
    Replace <idp-claim-id> with the claim ID required for your identity provider.

  4. Use the mapping file to create the federation mapping rules for OpenStack. In the provided example, mapping rules created from the mapping.json file are called Idpmap: 

    openstack mapping create --rules <file> <name>
    Copy to Clipboard Toggle word wrap

    For example: 

    openstack mapping create --rules mapping.json IdpMap
    Copy to Clipboard Toggle word wrap

  5. Create a federated group: 

    openstack group create --domain <federation_domain> <federation_group_name>
    Copy to Clipboard Toggle word wrap

  6. Create an Identity service (keystone) project 

    openstack project create --domain <federation_domain> <federation_project_name>
    Copy to Clipboard Toggle word wrap

  7. Add the Identity service federation group to a role: 

    openstack role add --group <federation_group_name> \
--group-domain <federation_domain> \
--project <federation_project_name> \
--project-domain <federation_domain> member
    Copy to Clipboard Toggle word wrap

  8. Create the OpenID federation protocol: 

    openstack federation protocol create openid \
--mapping IdpMap --identity-provider <identityProvider>
    Copy to Clipboard Toggle word wrap

Additional information

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat