OpenStack Federated Authentication using Juju¶

This page describes how to implement the steps described here using Juju.

openstack-keystone-mellon¶

mod_auth_mellon is an alternative to mod_shib to implement SAML2 authentication.

Assuming that you have already a deployed OpenStack model/cluster, deploy the openstack-keystone-mellon charm:

git clone https://github.com/openstack/charm-keystone-saml-mellon.git openstack-keystone-mellon
juju deploy ./openstack-keystone-mellon
juju add-relation keystone-saml-mellon keystone
juju add-relation keystone-saml-mellon openstack-dashboard
juju add-relation openstack-dashboard:websso-trusted-dashboard keystone:websso-trusted-dashboard

then follow the instructions at https://github.com/openstack/charm-keystone-saml-mellon/blob/master/src/README.md

For example:

juju config keystone-saml-mellon idp-name=idem-fed
juju config keystone-saml-mellon user-facing-name="IDEM/eduGAIN"
juju config keystone-saml-mellon idp-discovery-service-url=https://wayf.idem-test.garr.it/WAYF
juju config keystone-saml-mellon saml-encryption=true
juju config keystone-saml-mellon subject-confirmation-data-address-check=false

wget http://md.idem.garr.it/metadata/idem-test-metadata-sha256.xml
juju attach-resource keystone-saml-mellon idp-metadata=./idem-test-metadata-sha256.xml
juju attach-resource keystone-saml-mellon sp-private-key="./sp-private-key.pem"
juju attach-resource keystone-saml-mellon sp-signing-keyinfo="./sp-signing-keyinfo.xml"

openstack identity provider create --remote-id https://idp.aai-test.garr.it/idp/shibboleth idem-fed
cat rules.json #note that OID 1.3.6.1.4.1.5923.1.1.1.6 is allocated to eduPersonPrincipalName
[{"local": [{"user": {"domain": {"name": "cloudusers"}, "type": "local", "name": "{0}"}}], "remote": [{"type": "MELLON_urn:oid:1.3.6.1.4.1.5923.1.1.1.6"}]}]
openstack mapping create --rules rules.json saml2_mapping
openstack federation protocol create mapped --mapping saml2_mapping --identity-provider idem-fed

# create the users, e.g.
openstack user create --domain cloudusers test1@idp311.idem.garr.it
openstack project create --domain cloudusers test
openstack role add --project test --user test1@idp311.idem.garr.it --user-domain cloudusers Member

Give the Keystone IP address a name in your DNS and configure Keystone for HTTPS.

Then get the SP metadata:

juju run-action keystone-saml-mellon/0 get-sp-metadata --wait

And use it to register the SP at https://registry.idem.garr.it/

To test the setup in the example, browse to the OpenStack dashboard of your cluster, select “IDEM/eduGAIN authentication”, select “idp311” and login as user test1 with password test1.