Configuring the Keystone Service Provider

Configure the Keystone Service Provider with the correct information for application data, single sign-on, and metadata.

About this task

Log in the controller node, and use the following procedure to set up the Keystone Service Provider.

Procedure

  1. Install the required artifacts. 
    $ yum install shibboleth
$ yum install xmlsec1-openssl
$ yum install xmlsec1
$ yum install python-saml2
  2. Edit /etc/httpd/sites-available/keystone-public.conf.
    1. Insert the line in bold from the following file snippet. 
      <VirtualHost 9.119.61.13:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /var/www/html/keystone/main
    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/html/keystone/main/$1
WSGIApplicationGroup %{GLOBAL}
    2. Add the following information to the end of the file. 
      <Location /Shibboleth.sso>
    SetHandler shib
</Location>

<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
    ShibRequestSetting requireSession 1
    AuthType shibboleth
    ShibExportAssertion Off
    Require valid-user
</LocationMatch>
  3. Create new file /etc/httpd/mods-available/shibboleth.load, and insert the following line in the file. 
    LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
  4. Run the following command: 
    $ ln /etc/httpd/mods-available/shibboleth.load /etc/httpd/mods-enabled/shibboleth.load
  5. Edit /etc/shibboleth/attribute-map.xml file, add the following to the end of the file before </Attributes>. 
    <Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
  6. Run the following command: 
    $ /etc/shibboleth/keygen.sh -h keystone.sp.fqdn -y 20 -f -o /etc/shibboleth
$ scp root@keystone.idp.fqdn:/etc/keystone/keystone_idp_metadata.xml /etc/shibboleth
$ chmod 644 /etc/shibboleth/sp-key.pem
    Notes:
    • Replace keystone.sp.fqdn with the fully qualified domain name (FQDN) of the Keystone Service Provider node.
    • Replace keystone.idp.fqdn with the FQDN of the Keystone Identity Provider node that you deployed in the first task of this process.
  7. Edit /etc/shibboleth/shibboleth2.xml file to set ApplicationDefaults, SSO and MetadataProvider according to the following example: 
    <ApplicationDefaults entityID="http://keystone.sp.fqdn/Shibboleth">

<SSO entityID="http://keystone.idp.fqdn>:5000/v3/OS-FEDERATION/saml2/idp" ECP=”true”>
      SAML2 SAML1
</SSO>

<MetadataProvider type="XML" file="/etc/shibboleth/keystone_idp_metadata.xml"/>
    where keystone.sp.fqdn is the FQDN of the Keystone Service Provider node, and keystone.idp.fqdn is the FQDN of the Keystone Identity Provider node.
  8. Run the following command to remove the REMOTE_USER entity in /etc/shibboleth/shibboleth2.xml file. 
    $ sudo sed -r 's/REMOTE_USER="\w*"//' -i /etc/shibboleth/shibboleth2.xml
  9. Add the saml2 authentication methods to the [auth] section in /etc/keystone/keystone.conf: 
    [auth]
methods = external, password, token, oauth1, saml2
saml2 = keystone.auth.plugins.mapped.Mapped
  10. Restart the apache and shibd services: 
    $ service httpd restart
$ service shibd restart