Configure Keystone

Install mod_auth_openidc

apt-get install libjansson4 libhiredis0.10 libcurl3

wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v1.8.6/libapache2-mod-auth-openidc_1.8.6-1_amd64.deb

dpkg -i libapache2-mod-auth-openidc_1.8.6-1_amd64.deb

If there is problem in installing 1.8 into your Ubuntu distribution, try to install 1.6 as follows:

wget http://ftp.us.debian.org/debian/pool/main/liba/libapache2-mod-auth-openidc/libapache2-mod-auth-openidc_1.6.0-1_amd64.deb

dpkg -i libapache2-mod-auth-openidc_1.6.0-1_amd64.deb

sudo apt-get -f install

Now enable mod_auth_openidc, and restart the server

a2enmod auth_openidc

service apache2 restart

Configure /etc/keystone/keystone.conf file

Make the following changes in /etc/keystone/keystone.conf file

[auth]
methods = external,password,token,oauth1,oidc
oidc = keystone.auth.plugins.mapped.Mapped

[oidc]
remote_id_attribute = HTTP_OIDC_ISS

[federation]
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = http://<Keystone-Hostname>:5000/v3
trusted_dashboard = http://<Keystone-Hostname>/horizon/auth/websso/
trusted_dashboard = http://keystoneopenam.com:5000/v3
trusted_dashboard = http://keystoneopenam.com/auth/websso/
trusted_dashboard = http://<CloudFabric-IP>/login
trusted_dashboard = http://<CloudFabric-IP>:80/login
trusted_dashboard = http://<CloudFabric-IP>/datacenterDashboard
trusted_dashboard = http://<CloudFabric-IP>:80/datacenterDashboard
trusted_dashboard = http://cloudfabric.gxicloud.com:8080/login
trusted_dashboard = http://cloudfabric.gxicloud.com:8080/datacenterDashboard
trusted_dashboard = http://cloudfabric.gxicloud.com:8443/login
trusted_dashboard = http://cloudfabric.gxicloud.com:8443/datacenterDashboard

Configure virtual host file

Edit the file /etc/apache2/sites-available/wsgi-keystone.conf file and make the following changes:

<VirtualHost *:5000>
    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "id_token"
    OIDCScope "openid email profile"
    OIDCProviderIssuer https://demo.gxicloud.com:8443/openam/oauth2/ocean/crew
    OIDCProviderAuthorizationEndpoint https://demo.gxicloud.com:8443/openam/oauth2/authorize?realm=/ocean/crew
    OIDCProviderTokenEndpoint https://demo.gxicloud.com:8443/openam/oauth2/access_token?realm=/ocean/crew
    OIDCProviderTokenEndpointAuth client_secret_basic
    OIDCProviderUserInfoEndpoint https://demo.gxicloud.com:8443/openam/oauth2/userinfo?realm=/ocean/crew
    OIDCProviderJwksUri https://demo.gxicloud.com:8443/openam/oauth2/connect/jwk_uri?realm=/ocean/crew
    OIDCSSLValidateServer Off
    OIDCOAuthSSLValidateServer Off
    OIDCClientID openstack
    #OIDCClientID rootclientid
    OIDCClientSecret password
    OIDCCryptoPassphrase password
    OIDCRedirectURI "http://keystoneopenam.com:5000/v3/OS-FEDERATION/identity_providers/openam_idp/protocols/oidc/auth/redirect"
    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
      AuthType openid-connect
      Require valid-user
      LogLevel debug
    </LocationMatch>

    OIDCRedirectURI "http://keystoneopenam.com:5000/v3/auth/OS-FEDERATION/websso/redirect"
    OIDCRedirectURI "http://keystoneopenam.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect"
    <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
      AuthType openid-connect
      Require valid-user
    </Location>
</VirtualHost>

Create project, group, role, identity provider, mapping and protocol

openstack group create openam_group --domain default

openstack project create openam_project --domain default

openstack role add admin --group openam_group --project openam_project --domain default

Issue an admin token as follows

openstack token issue

Export the token as follows: export token=

Now create the identity provider as follows:

curl -i -X PUT \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $OS_TOKEN" \
  -H "X-Subject-Token: $OS_TOKEN" \
  -d '{"identity_provider": {"description": "OpenAM idp","remote_ ["https://demo.gxicloud.com:8443/openam/oauth2/ocean/crew"],"enabled": true}}' \
  http://keystoneopenam.com:5000/v3/OS-FEDERATION/identity_providers/openam_idp

Create a file openam_mapping.json and add the follwoing contents. Please replace the group id with id of the group you just created

Keystone Federation Mapping Examples are :

https://docs.openstack.org/ocata/config-reference/identity/federated-identity.html#mapping-examples

cat openam_mapping.json
[
  {
    "local": [
      {
        "group": {
          "id": "a52d06a163f049e29416e20d0e8a12ea"
          }
        }
      ],
    "remote": [
        {
          "type": "HTTP_OIDC_ISS"
          }
        ]
  }
]

There is another variant of "remote", where we can define specific email-domain users to be part of the group..

"remote": [
        {
          "type": "HTTP_OIDC_ISS",
          "any_one_of": [
            "https://accounts.idp.com"
            ]
          }
        ]

Now create mapping as follows:

openstack mapping create openam_mapping --rules openam_mapping.json

Now create protocol

openstack federation protocol create oidc --identity-provider openam_idp --mapping openam_mapping

Configure Keystone

Configure Keystone

Install mod_auth_openidc

Now enable mod_auth_openidc, and restart the server

Configure /etc/keystone/keystone.conf file

Configure virtual host file

Create project, group, role, identity provider, mapping and protocol

Keystone Federation Mapping Examples are :

results matching ""

No results matching ""