OpenStack Federated Authentication using Juju

This page describes how to implement the steps described here using Juju.


mod_auth_mellon is an alternative to mod_shib to implement SAML2 authentication.

Assuming that you have already a deployed OpenStack model/cluster, deploy the openstack-keystone-mellon charm:

git clone openstack-keystone-mellon
juju deploy ./openstack-keystone-mellon
juju add-relation keystone-saml-mellon keystone
juju add-relation keystone-saml-mellon openstack-dashboard
juju add-relation openstack-dashboard:websso-trusted-dashboard keystone:websso-trusted-dashboard

then follow the instructions at

For example:

juju config keystone-saml-mellon idp-name=idem-fed
juju config keystone-saml-mellon user-facing-name="IDEM/eduGAIN"
juju config keystone-saml-mellon idp-discovery-service-url=
juju config keystone-saml-mellon saml-encryption=true
juju config keystone-saml-mellon subject-confirmation-data-address-check=false

juju attach-resource keystone-saml-mellon idp-metadata=./idem-test-metadata-sha256.xml
juju attach-resource keystone-saml-mellon sp-private-key="./sp-private-key.pem"
juju attach-resource keystone-saml-mellon sp-signing-keyinfo="./sp-signing-keyinfo.xml"

openstack identity provider create --remote-id idem-fed
cat rules.json #note that OID is allocated to eduPersonPrincipalName
[{"local": [{"user": {"domain": {"name": "cloudusers"}, "type": "local", "name": "{0}"}}], "remote": [{"type": "MELLON_urn:oid:"}]}]
openstack mapping create --rules rules.json saml2_mapping
openstack federation protocol create mapped --mapping saml2_mapping --identity-provider idem-fed

# create the users, e.g.
openstack user create --domain cloudusers
openstack project create --domain cloudusers test
openstack role add --project test --user --user-domain cloudusers Member

Give the Keystone IP address a name in your DNS and configure Keystone for HTTPS.

Then get the SP metadata:

juju run-action keystone-saml-mellon/0 get-sp-metadata --wait

And use it to register the SP at

To test the setup in the example, browse to the OpenStack dashboard of your cluster, select “IDEM/eduGAIN authentication”, select “idp311” and login as user test1 with password test1.