红帽全球峰会此内容没有您所选择的语言版本。
Chapter 3. Configure RH-SSO
The RH-SSO installation process is outside the scope of this guide. It is assumed you have already installed RH-SSO on a node that is situated independently from the Red Hat OpenStack Platform director deployment.
-
The RH-SSO URL will be identified by the
$FED_RHSSO_URLvariable. -
RH-SSO supports multi-tenancy, and uses realms to allow for separation between tenants. As a result, RH-SSO operations always occur within the context of a realm. This guide uses the site-specific variable
$FED_RHSSO_REALMto identify the RH-SSO realm being used. -
The RH-SSO realm can either be created ahead of time (as would be typical when RH-SSO is administered by an IT group), or the
keycloak-httpd-client-installtool can create it for you if you have administrator privileges on the RH-SSO server.
3.1. Configure the RH-SSO Realm
Once the RH-SSO realm is available, use the RH-SSO web console to configure that realm for user federation against IdM:
-
Select
$FED_RHSSO_REALMfrom the drop-down list in the upper left corner. -
Select
User Federationfrom the left sideConfigurepanel. -
From the
Add provider ...drop down list in the upper right corner of theUser Federationpanel, selectldap. Fill in the following fields with these values, be sure to substitute any
$FED_site-specific variable:Property Value Console Display Name
Red Hat IDM
Edit Mode
READ_ONLY
Sync Registrations
Off
Vendor
Red Hat Directory Server
Username LDAP attribute
uid
RDN LDAP attribute
uid
UUID LDAP attribute
ipaUniqueID
User Object Classes
inetOrgPerson, organizationalPerson
Connection URL
LDAPS://$FED_IPA_HOST
Users DN
cn=users,cn=accounts,$FED_IPA_BASE_DN
Authentication Type
simple
Bind DN
uid=rhsso,cn=sysaccounts,cn=etc,$FED_IPA_BASE_DN
Bind Credential
$FED_IPA_RHSSO_SERVICE_PASSWD
-
Use the
Test connectionandTest authenticationbuttons to check that user federation is working. -
Click
Saveat the bottom of theUser Federationpanel to save the new user federation provider. -
Click on the
Mapperstab at the top of the Red Hat IDM user federation page you just created. - Create a mapper to retrieve the user’s group information; this means that a user’s group memberships will be returned in the SAML assertion. You will be using group membership later to provide authorization in OpenStack.
-
Click on the
Createbutton in the upper right hand corner of the Mappers page. On the
Add user federation mapperpage, selectgroup-ldap-mapperfrom the Mapper Type drop down list, and give it the nameGroup Mapper. Fill in the following fields with these values, and be sure to substitute any$FED_site-specific variable.Property Value LDAP Groups DN
cn=groups,cn=accounts„$FED_IPA_BASE_DN
Group Name LDAP Attribute
cn
Group Object Classes
groupOfNames
Membership LDAP Attribute
member
Membership Attribute Type
DN
Mode
READ_ONLY
User Groups Retrieve Strategy
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
-
Click
Save.
3.2. Add User Attributes for SAML Assertion
The SAML assertion can send to keystone the properties that are bound to the user (for example, user metadata); these are called attributes in SAML. You will need to configure RH-SSO to return the required attributes in the assertion. Then, when keystone receives the SAML assertion, it will map those attributes into user metadata in a manner which keystone can then process. The process of mapping IdP attributes into keystone data is called Federated Mapping and will be covered later in this guide (see Section 4.21, “Create the Mapping File and Upload to Keystone”).
RH-SSO calls the process of adding returned attributes Protocol Mapping. Protocol mapping is a property of the RH-SSO client (for example, the service provider (SP) added to the RH-SSO realm). The process for adding a given attribute to SAML follows a similar process.
In the RH-SSO administration web console:
-
Select
$FED_RHSSO_REALMfrom the drop-down list in the upper left corner. -
Select
Clientsfrom the left sideConfigurepanel. -
Select the SP client that was setup by
keycloak-httpd-client-install. It will be identified by its SAMLEntityId. -
Select the
Mapperstab from the horizontal list of tabs appearing at the top of the client panel. -
In the
Mapperspanel in the upper right are two buttons:CreateandAdd Builtin. Use one of these buttons to add a protocol mapper to the client.
You can add any required attributes, but for this exercise you will only need the list of groups the user is a member of (because group membership is how you will authorize the user).
3.3. Add Group Information to the Assertion
-
Click on the
Createbutton in theMapperspanel. -
In the
Create Protocol Mapperpanel selectGroup listfrom theMapper typedrop-down list. -
Enter
Group Listas a name in theNamefield. Enter
groupsas the name of the SAML attribute in theGroup attribute namefield.NoteThis is the name of the attribute as it will appear in the SAML assertion. When the keystone mapper searches for names in the
Remotesection of the mapping declaration, it is the SAML attribute names it is looking for. Whenever you add an attribute in RH-SSO to be passed in the assertion you will need to specify the SAML attribute name; it is the RH-SSO protocol mapper where that name is defined.-
In the
SAML Attribute NameFormatfield selectBasic. -
In the
Single Group Attributetoggle box selectOn. -
Click
Saveat the bottom of the panel.
keycloak-httpd-client-install adds a group mapper when it runs.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}