3.2. 将 Red Hat OpenStack Platform 与 Active Directory Federation 服务集成
使用 Active Directory Federation Services (ADFS)部署 Red Hat OpenStack Platform (RHOSP)后,您必须完成以下步骤将身份提供程序(IdP)与服务供应商(RHOSP)集成。
流程
创建一个联邦域:
openstack domain create <federated_domain_name>
输出示例:
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | b493634c9dbf4546a2d1988af181d7c9 | | name | my_domain | | options | {} | | tags | [] | +-------------+----------------------------------+设置联邦身份提供程序。
openstack identity provider create --remote-id https://<adfs_fqdn>:9443/adfs --domain <domain_name> adfsIdP
将
<adfs_fqdn> 替换为 Active Directory Federation Services 的完全限定域名,将 <federated_domain_name> 替换为在第 1 步中创建的联邦域的名称。输出示例:
+-------------------+-----------------------------------------------------+ | Field | Value | +-------------------+-----------------------------------------------------+ | authorization_ttl | None | | description | None | | domain_id | b493634c9dbf4546a2d1988af181d7c9 | | enabled | True | | id | adfsIdP | | remote_ids | https:/adfs.fqdn.local/adfs/ | +-------------------+-----------------------------------------------------+
创建映射文件.映射文件对您的云的身份需求是唯一的。
Example:
cat > mapping.json << EOF
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "<federated_domain>" 1
},
"name": "<federated_group_name>" 2
}
}
],
"remote": [
{
"type": "OIDC-upn" 3
}
]
}
]
EOF$ openstack mapping create --rules mapping.json ADmap
创建一个联邦组:
openstack group create --domain <federation_domain> <federation_group_name>
创建 Identity 服务(keystone)项目:
openstack project create --domain <federation_domain> <federation_project_name>
- 将 Identity 服务联邦组添加到角色。
openstack role add --group <federation_group_name> --group-domain <federation_domain> --project <federation_project_name> --project-domain <federation_domain> member
创建 OpenID 联邦协议:
openstack federation protocol create openid --mapping ADmap --identity-provider adfsIdP
