Chapter 2. Federation using Red Hat OpenStack Platform and single sign-on

Procedure

1. Obtain your OpenStack Identity service (keystone) endpoint, which has the following construction:

   https://<FQDN>:<port>

   Copy to Clipboard Toggle word wrap
   • Replace <FQDN> with the Fully Qualified Domain Name (FQDN) value you assign to the CloudName parameter in the custom-domain.yaml heat template.

   • Replace <port> with the number of the required port. For example, if you deploy TLS then the port number is 13000.

     Note

     If you do not deploy TLS then <port> is 5000. Use TLS when deploying production systems.

2. Provide your SSO administrator with the following redirect URIs:

   https://<keystone_endpoint>/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso
   https://<keystone_endpoint>/v3/auth/OS-FEDERATION/websso/openid

   Copy to Clipboard Toggle word wrap

   • Replace <keystone_endpoint> with your Identity service (keystone) endpoint that you determined in step 1.

     In response, your SSO administrator provides you with a ClientID and a ClientSecret.

3. Copy the enable-federation-openidc.yaml heat template into the stack home directory:

   $ cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \
   /home/stack/

   Copy to Clipboard Toggle word wrap

4. Edit your copy of the enable-federation-openidc.yaml environment file. Below is a sample configuration:

   parameter_defaults:
     KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid 

   1

   
     KeystoneOpenIdcClientId: <ClientID> 

   2

   
     KeystoneOpenIdcClientSecret: <ClientSecret> 

   3

   
     KeystoneOpenIdcCryptoPassphrase: openstack 

   4

   
     KeystoneOpenIdcIdpName: kcipaIDP 

   5

   
     KeystoneOpenIdcIntrospectionEndpoint: https://rh-sso.local.com/realms/master/protocol/openid-connect/token/introspect 

   6

   
     KeystoneOpenIdcProviderMetadataUrl: https://rh-sso.local.com/realms/master/.well-known/openid-configuration 

   7

   
     KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS 

   8

   
     KeystoneOpenIdcResponseType: id_token 

   9

   
     KeystoneTrustedDashboards: https://overcloud.redhat.local/dashboard/auth/websso/ 

   10

   
     WebSSOChoices: [['OIDC', 'OpenID Connect']] 

   11

   
     WebSSOIDPMapping: {'OIDC': ['kcipaIDP', 'openid']} 

   12

   
     WebSSOInitialChoice: OIDC
     KeystoneFederationEnable: True
     KeystoneOpenIdcEnable: True
     KeystoneOpenIdcEnableOAuth: True
     WebSSOEnable: True

   Copy to Clipboard Toggle word wrap

   1

   A comma delimited list of acceptable methods for authentication.

   2

   Replace <ClientID> with the ClientID that your SSO administrator provides.

   3

   Replace <ClientSecret> with the ClientSecret that your SSO administrator provides.

   4

   Choose a passphrase to use when encrypting data for OpenID Connect handshake.

   5

   The name associated with the IdP in the Identity service (keystone). The value for this parameter is always kcipaIDP for SSO.

   6

   The Identity service introspection endpoint, in which you must replace <FQDN> with your CloudName FQDN and replace <realm> with the SSO realm, the default realm is master: https://<FQDN>/realms/<realm>/protocol/openid-connect/token/introspect

   7

   The URL that points to your OpenID Connect provider metadata.

   8

   The attribute to obtain the entity ID of the Identity Provider from the environment.

   9

   The response type expected from the OpenID Connect provider.

   10

   A dashboard URL trusted for single sign-on. This can also be a comma delimited list.

   11

   The list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.

   12

   A mapping from the SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in the Identity service.

5. Add the enable-federation-openidc.yaml to the stack with your other environment files and deploy the overcloud:

   (undercloud)$ openstack overcloud deploy --templates \
   -e [your environment files] \
   -e /home/stack/templates/enable-federation-openidc.yaml

   Copy to Clipboard Toggle word wrap

Procedure

1. Create a federated domain:

   $ openstack domain create <federated_domain_name>

   Copy to Clipboard Toggle word wrap

   • Replace <federated_domain_name> with the name of your federated domain.

     Example output:

     +-------------+----------------------------------+
     | Field       | Value                            |
     +-------------+----------------------------------+
     | description |                                  |
     | enabled     | True                             |
     | id          | b493634c9dbf4546a2d1988af181d7c9 |
     | name        | my_domain                        |
     | options     | {}                               |
     | tags        | []                               |
     +-------------+----------------------------------+

     Copy to Clipboard Toggle word wrap

2. Set up the federation identity provider:

   $ openstack identity provider create --remote-id https://<sso_fqdn>:9443/realms/<realm> --domain <federated_domain_name> kcipaIDP

   Copy to Clipboard Toggle word wrap
   • Replace <sso_fqdn> with the fully qualified domain name for SSO.

   • Replace <realm> with the SSO realm. The default realm is master.

     Example output:

     +-------------------+-----------------------------------------------------+
     | Field         	| Value                                               |
     +-------------------+-----------------------------------------------------+
     | authorization_ttl | None                                                |
     | description   	| None                                                |
     | domain_id     	| b493634c9dbf4546a2d1988af181d7c9                    |
     | enabled       	| True                                                |
     | id            	| kcipaIDP                                            |
     | remote_ids    	| https://sso.fqdn.local:9443/realms/master        |
     +-------------------+-----------------------------------------------------+

     Copy to Clipboard Toggle word wrap

3. Create a mapping file that is unique to the identity needs of your cloud.

   Example:

    cat > mapping.json << EOF
   [
       {
           "local": [
               {
                   "user": {
                    "name": "{0}"
                   },
                   "group": {
                       "domain": {
                        "name": "<federated_domain_name>" 

   1

   
                       },
                       "name": "<federated_group_name>" 

   2

   
                   }
               }
           ],
           "remote": [
               {
                   "type": "OIDC-preferred_username"
               }
           ]
       }
   ]
   EOF

   Copy to Clipboard Toggle word wrap

   1

   Replace <federated_domain_name> with the name of the domain that you created in step 1.

   2

   Replace <federated_group_name> with the name of the federated group that you will create in a later step.

4. Use this mapping file to create the federation mapping rules for RHOSP:

   openstack mapping create --rules <mapping_file> <mapping_rules>

   Copy to Clipboard Toggle word wrap
   • Replace <mapping_file> with the name of the mapping file that you created in the previous step, for example, mapping.json.
   • Replace <mapping_rules> with the name of the mapping rules created from this file, for example, IPAmap.

5. Create a federated group:

   $ openstack group create --domain <federation_domain_name> <federation_group_name>

   Copy to Clipboard Toggle word wrap
   • Replace <federated_domain_name> with the name of the domain that you created in step 1.
   • Replace <federated_group_name> with the name of the federated group that have specified in the mapping file.

6. Create an Identity service (keystone) project:

   $ openstack project create --domain <federation_domain_name> <federation_project_name>

   Copy to Clipboard Toggle word wrap
   • Replace <federation_project_name> with the name of the Identity service project.

7. Add the Identity service federation group to a role:

   $ openstack role add --group <federation_group_name> --group-domain <federation_domain_name> --project <federation_project_name> --project-domain <federation_domain_name> member

   Copy to Clipboard Toggle word wrap

8. Create the OpenID federation protocol:

   $ openstack federation protocol create openid --mapping <mapping_rules> --identity-provider kcipaIDP

   Copy to Clipboard Toggle word wrap
   • Replace <mapping_rules> with the name of the mapping rules you created from your mapping file, for example, IPAmap.