Skip to content

Instantly share code, notes, and snippets.

@bretonium
Last active December 14, 2020 20:00
Show Gist options
  • Save bretonium/6134bca0756cb4f8037c to your computer and use it in GitHub Desktop.
Save bretonium/6134bca0756cb4f8037c to your computer and use it in GitHub Desktop.
How to configure Mirantis OpenStack for WebSSO via Okta
  • To use openstack cli you need to switch it to using v3 API. Do this:
    1. cp openrc openrc.v3
    2. edit openrc.v3 and
      • add there this line: export OS_IDENTITY_API_VERSION=3
      • change OS_AUTH_URL to point to v3.
  • Create an identity provider

    openstack identity provider create idp_1 # idp_1 is an id. Use any you like. I like idp_1

  • Create a mapping

    Mapping is a set of rules that tells keystone which group or project or domain the user belongs to. For this POC lets put the user to a static group.

    Create a group: openstack group create --domain default remote_people # it was created with id 0e85a08dad294ad9b6aa9ebb7a969caa, remember it

    Create a mapping. Lets use this one:

    [
      {
        "local": [
          {
            "user": {
              "name": "{0}",
              "domain": {"name": "Default"}
            }
          },
          {
            "group": {
              "id": "0e85a08dad294ad9b6aa9ebb7a969caa"
            }
          }
        ],
        "remote": [
          {
            "type": "username"
          }
        ]
      }
    ]
    

    remote type: username might seem not obvious yet, but we'll get back to this part

    Save it to a file "mapping.json" and run: openstack mapping create --rules mapping.json my_mapping.

  • Create a federation protocol for the mapping and identity provider we created above

    openstack federation protocol create --identity-provider idp_1 --mapping my_mapping saml2

  • Remember the ids we used here:
    • federation protocol: saml2
    • identity provider: idp_1
  • Install mod_shibboleth. apt-get install libapache2-mod-shib2

  • Add the following to /etc/apache2/sites-enabled/05-keystone_wsgi_main.conf:

    <Location /Shibboleth.sso>
        SetHandler shib
    </Location>
    
  • Add this to vhost configuration:

    <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
        ShibRequestSetting requireSession 1
        AuthType shibboleth
        ShibExportAssertion Off
        Require valid-user
    
        <IfVersion < 2.4>
            ShibRequireSession On
            ShibRequireAll On
        </IfVersion>
    </Location>
    
  • Set ServerName in virtualhost configuration:

    ServerName https://public.fuel.local:5000/
    UseCanonicalName On
    
  • Configure Horizon
  • Ensure that in shibboleth2.xml <Sessions> has handlerSSL="false"

  • Fix haproxy as suggested in comment #1 of bureport https://bugs.launchpad.net/mos/+bug/1527717

  • Create your app in Okta
    • Single Sign On URL = https://public.fuel.local:5000/Shibboleth.sso/SAML2/POST
    • Audience URI (SP Entity ID) = http://public.fuel.local:5000/v3/auth/OS-FEDERATION/websso/saml2
    • Go to "Sign On" settings tab and copy a link of "Identity Provider metadata". For me it looks like https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata.
    • In SAML configuration, section "Attribute Statements (optional)", put username to field "name" and select user.email in "value".
    • Edit your /etc/shibboleth/shibboleth2.xml:
      • In your <ApplicationDefaults> find <MetadataProvider> and set uri="https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata" (your metadata url above)
      • <ApplicationDefaults entityID="https://public.fuel.local:5000/">
      • Inside Session find <SSO entityID="..."> and set entityID to SAML Issuer ID, for me it was http://www.okta.com/exk3emohjqYcZ1KR90x7.
      • Ensure that in shibboleth2.xml <Sessions> has handlerSSL="false".

    Here is a full shibboleth2.xml for reference: https://paste.mirantis.net/show/1597/

  • Add this to /etc/shibboleth/attribute-map.xml:

    <Attribute name="username" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="username">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
    </Attribute>
    
  • Set remote-id of your idp:

    openstack identity provider set --remote-id 'http://www.okta.com/exk3emohjqYcZ1KR90x7' idp_1

  • Edit /etc/keystone/keystone.conf
    • [DEFAULT]secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
    • [auth]methods = external,password,token,oauth1,saml2
    • [federation]remote_id_attribute = Shib-Identity-Provider
    • [federation]trusted_dashboard = https://public.fuel.local/horizon/auth/websso/
  • Create /etc/keystone/sso_callback_template.html (use a template from official keystone docs)

  • HACK FOR 7.0: /usr/lib/python2.7/dist-packages/openstack_auth/views.py: origin = request.build_absolute_uri('/horizon/auth/websso/')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment