Skip to content

Instantly share code, notes, and snippets.

@michaelrice

michaelrice/mos-websso.rst

Forked from bretonium/mos-websso.rst
Created September 6, 2017 05:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save michaelrice/613cbcb2841ffe10746184a74aa60586 to your computer and use it in GitHub Desktop.
Save michaelrice/613cbcb2841ffe10746184a74aa60586 to your computer and use it in GitHub Desktop.
Download ZIP
How to configure Mirantis OpenStack for WebSSO via Okta
Raw
mos-websso.rst
  • To use openstack cli you need to switch it to using v3 API. Do this:
    1. cp openrc openrc.v3
    2. edit openrc.v3 and
      • add there this line: export OS_IDENTITY_API_VERSION=3
      • change OS_AUTH_URL to point to v3.

  • Create an identity provider

    openstack identity provider create idp_1 # idp_1 is an id. Use any you like. I like idp_1

  • Create a mapping

    Mapping is a set of rules that tells keystone which group or project or domain the user belongs to. For this POC lets put the user to a static group.

    Create a group: openstack group create --domain default remote_people # it was created with id 0e85a08dad294ad9b6aa9ebb7a969caa, remember it

    Create a mapping. Lets use this one:

    [
  {
    "local": [
      {
        "user": {
          "name": "{0}",
          "domain": {"name": "Default"}
        }
      },
      {
        "group": {
          "id": "0e85a08dad294ad9b6aa9ebb7a969caa"
        }
      }
    ],
    "remote": [
      {
        "type": "username"
      }
    ]
  }
]

    remote type: username might seem not obvious yet, but we'll get back to this part

    Save it to a file "mapping.json" and run: openstack mapping create --rules mapping.json my_mapping.

  • Create a federation protocol for the mapping and identity provider we created above

    openstack federation protocol create --identity-provider idp_1 --mapping my_mapping saml2

  • Remember the ids we used here:
    • federation protocol: saml2
    • identity provider: idp_1
  • Install mod_shibboleth. apt-get install libapache2-mod-shib2

  • Add the following to /etc/apache2/sites-enabled/05-keystone_wsgi_main.conf:

    <Location /Shibboleth.sso>
    SetHandler shib
</Location>

  • Add this to vhost configuration:

    <Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
    ShibRequestSetting requireSession 1
    AuthType shibboleth
    ShibExportAssertion Off
    Require valid-user

    <IfVersion < 2.4>
        ShibRequireSession On
        ShibRequireAll On
    </IfVersion>
</Location>

  • Set ServerName in virtualhost configuration:

    ServerName https://public.fuel.local:5000/
UseCanonicalName On
  • Configure Horizon
  • Ensure that in shibboleth2.xml <Sessions> has handlerSSL="false"
  • Fix haproxy as suggested in comment #1 of bureport https://bugs.launchpad.net/mos/+bug/1527717
  • Create your app in Okta
    • Single Sign On URL = https://public.fuel.local:5000/Shibboleth.sso/SAML2/POST
    • Audience URI (SP Entity ID) = http://public.fuel.local:5000/v3/auth/OS-FEDERATION/websso/saml2
    • Go to "Sign On" settings tab and copy a link of "Identity Provider metadata". For me it looks like https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata.
    • In SAML configuration, section "Attribute Statements (optional)", put username to field "name" and select user.email in "value".
    • Edit your /etc/shibboleth/shibboleth2.xml:
      • In your <ApplicationDefaults> find <MetadataProvider> and set uri="https://mirantisnztest.okta.com/app/exk3emohjqYcZ1KR90x7/sso/saml/metadata" (your metadata url above)
      • <ApplicationDefaults entityID="https://public.fuel.local:5000/">
      • Inside Session find <SSO entityID="..."> and set entityID to SAML Issuer ID, for me it was http://www.okta.com/exk3emohjqYcZ1KR90x7.
      • Ensure that in shibboleth2.xml <Sessions> has handlerSSL="false".

    Here is a full shibboleth2.xml for reference: https://paste.mirantis.net/show/1597/

  • Add this to /etc/shibboleth/attribute-map.xml:

    <Attribute name="username" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="username">
    <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
  • Set remote-id of your idp:

    openstack identity provider set --remote-id 'http://www.okta.com/exk3emohjqYcZ1KR90x7' idp_1

  • Edit /etc/keystone/keystone.conf
    • [DEFAULT]secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
    • [auth]methods = external,password,token,oauth1,saml2
    • [federation]remote_id_attribute = Shib-Identity-Provider
    • [federation]trusted_dashboard = https://public.fuel.local/horizon/auth/websso/
  • Create /etc/keystone/sso_callback_template.html (use a template from official keystone docs)
  • HACK FOR 7.0: /usr/lib/python2.7/dist-packages/openstack_auth/views.py: origin = request.build_absolute_uri('/horizon/auth/websso/')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment