From 167d75572436d1bc17bd574ea5cb6be21b6dad10 Mon Sep 17 00:00:00 2001
From: Egon Rijpkema <git@egonrijpkema.nl>
Date: Fri, 10 Aug 2018 16:15:48 +0200
Subject: [PATCH] Imported all shibboleth stuff from openstack-test05

---
 keystone/.gitignore                 |   8 -
 keystone/Dockerfile                 |  22 ++-
 keystone/apache-keystone.conf       | 126 ++++++++++++++
 keystone/attribute-map.xml          |  30 ++++
 keystone/attribute-policy.xml       |  71 ++++++++
 keystone/keystone.conf              |  11 ++
 keystone/routers.py                 | 252 ++++++++++++++++++++++++++++
 keystone/rules.json                 |  20 +++
 keystone/run.sh                     |  20 +++
 keystone/shibboleth2.xml            | 114 +++++++++++++
 keystone/sso_callback_template.html |  22 +++
 keystone/test.php                   |   4 +
 12 files changed, 691 insertions(+), 9 deletions(-)
 delete mode 100644 keystone/.gitignore
 create mode 100644 keystone/apache-keystone.conf
 create mode 100644 keystone/attribute-map.xml
 create mode 100644 keystone/attribute-policy.xml
 create mode 100644 keystone/routers.py
 create mode 100644 keystone/rules.json
 create mode 100755 keystone/run.sh
 create mode 100644 keystone/shibboleth2.xml
 create mode 100644 keystone/sso_callback_template.html
 create mode 100644 keystone/test.php

diff --git a/keystone/.gitignore b/keystone/.gitignore
deleted file mode 100644
index f432e90..0000000
--- a/keystone/.gitignore
+++ /dev/null
@@ -1,8 +0,0 @@
-# ---> Vim
-[._]*.s[a-w][a-z]
-[._]s[a-w][a-z]
-*.un~
-Session.vim
-.netrwhist
-*~
-
diff --git a/keystone/Dockerfile b/keystone/Dockerfile
index d757a54..1634dee 100644
--- a/keystone/Dockerfile
+++ b/keystone/Dockerfile
@@ -13,16 +13,36 @@ RUN set -x \
     && apt-get -y update \
     && apt-get -y install \
     && apt-get -y install keystone python-openstackclient \
+    && apt-get -y install libapache2-mod-shib2 \
     && apt-get -y clean
 
 # set admin token TODO: make this a secret
 # in volume of met env
 COPY keystone.conf /etc/keystone/keystone.conf
 
+COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf
+
+COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
+COPY attribute-map.xml /etc/shibboleth/attribute-map.xml
+COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml
+
+COPY sso_callback_template.html /etc/keystone/sso_callback_template.html
+
+RUN mkdir /var/run/shibboleth
+
+COPY run.sh /etc/run.sh
+
 RUN mkdir /etc/keystone/fernet-keys
 
 RUN chown keystone: /etc/keystone/fernet-keys
 
+RUN a2enmod shib2
+
 COPY bootstrap.sh /etc/bootstrap.sh
 
-CMD apachectl -DFOREGROUND
+# Testing only!!!
+RUN mkdir -p /var/www/html/secure
+RUN apt-get -y install php libapache2-mod-php
+COPY test.php /var/www/html/secure/test.php
+
+CMD /etc/run.sh
diff --git a/keystone/apache-keystone.conf b/keystone/apache-keystone.conf
new file mode 100644
index 0000000..99e0111
--- /dev/null
+++ b/keystone/apache-keystone.conf
@@ -0,0 +1,126 @@
+LoadModule ssl_module modules/mod_ssl.so
+
+Listen 5000
+Listen 35357
+
+<Location /secure>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require valid-user
+</Location>
+
+Alias "/secure" "/var/www/html/secure"
+
+<VirtualHost *:5000>
+    ServerName https://merlin.hpc.rug.nl:5000
+    SSLEngine on
+    SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
+    SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
+    UseCanonicalName On
+    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
+    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    LimitRequestBody 114688
+
+    # Added for federation.
+    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/bin>
+        <IfVersion >= 2.4>
+            Require all granted
+        </IfVersion>
+        <IfVersion < 2.4>
+            Order allow,deny
+            Allow from all
+        </IfVersion>
+    </Directory>
+
+    <Location /Shibboleth.sso>
+        SetHandler shib
+    </Location>
+
+    <Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
+        ShibRequestSetting requireSession 1
+        AuthType shibboleth
+        ShibExportAssertion Off
+        Require valid-user
+
+        <IfVersion < 2.4>
+            ShibRequireSession On
+            ShibRequireAll On
+       </IfVersion>
+    </Location>
+
+    <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
+      AuthType shibboleth
+      Require valid-user
+      ShibRequestSetting requireSession 1
+      ShibRequireSession On
+      ShibExportAssertion Off
+    </Location>
+    <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
+      AuthType shibboleth
+      Require valid-user
+    </Location>
+
+</VirtualHost>
+
+<VirtualHost *:35357>
+    ServerName https://merlin.hpc.rug.nl:35357
+    SSLEngine on
+    SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
+    SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
+    UseCanonicalName On
+    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
+    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    LimitRequestBody 114688
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/bin>
+        <IfVersion >= 2.4>
+            Require all granted
+        </IfVersion>
+        <IfVersion < 2.4>
+            Order allow,deny
+            Allow from all
+        </IfVersion>
+    </Directory>
+</VirtualHost>
+
+Alias /identity /usr/bin/keystone-wsgi-public
+<Location /identity>
+    SetHandler wsgi-script
+    Options +ExecCGI
+
+    WSGIProcessGroup keystone-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+</Location>
+
+Alias /identity_admin /usr/bin/keystone-wsgi-admin
+<Location /identity_admin>
+    SetHandler wsgi-script
+    Options +ExecCGI
+
+    WSGIProcessGroup keystone-admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+</Location>
diff --git a/keystone/attribute-map.xml b/keystone/attribute-map.xml
new file mode 100644
index 0000000..c641cca
--- /dev/null
+++ b/keystone/attribute-map.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+
+
+
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+    <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
+  </Attribute>
+  <Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/>
+
+  <!-- Added for nikhef -->
+  <Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
+
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/>
+  <Attribute name="urn:oid:2.5.4.4"                       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/>
+  <Attribute name="urn:oid:2.5.4.42"                      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/>
+  <Attribute name="urn:oid:2.5.4.3"                       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/>
+  <Attribute name="urn:oid:2.16.840.1.113730.3.1.241"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/>
+  <Attribute name="urn:oid:0.9.2342.19200300.100.1.3"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9"       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/>
+  <Attribute name="urn:oid:0.9.2342.19200300.100.1.1"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/>
+  <Attribute name="urn:oid:2.16.840.1.113730.3.1.39"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/>
+</Attributes>
diff --git a/keystone/attribute-policy.xml b/keystone/attribute-policy.xml
new file mode 100644
index 0000000..055567d
--- /dev/null
+++ b/keystone/attribute-policy.xml
@@ -0,0 +1,71 @@
+<afp:AttributeFilterPolicyGroup
+    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:afp="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Shared rule for affiliation values. -->
+    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+        <Rule xsi:type="AttributeValueString" value="faculty"/>
+        <Rule xsi:type="AttributeValueString" value="student"/>
+        <Rule xsi:type="AttributeValueString" value="staff"/>
+        <Rule xsi:type="AttributeValueString" value="alum"/>
+        <Rule xsi:type="AttributeValueString" value="member"/>
+        <Rule xsi:type="AttributeValueString" value="affiliate"/>
+        <Rule xsi:type="AttributeValueString" value="employee"/>
+        <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
+    </afp:PermitValueRule>
+    
+    <!--
+    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+    an AttributeRule for each attribute you want to check.
+    -->
+    <afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/>
+    <!-- # Hacked for Nikhef federation
+    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
+        <Rule xsi:type="NOT">
+            <Rule xsi:type="AttributeValueRegex" regex="@"/>
+        </Rule>
+        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
+    </afp:PermitValueRule>
+    -->
+    <afp:AttributeFilterPolicy>
+        <!-- This policy is in effect in all cases. -->
+        <afp:PolicyRequirementRule xsi:type="ANY"/>
+
+        <!-- Filter out undefined affiliations and ensure only one primary. -->
+        <afp:AttributeRule attributeID="affiliation">
+            <afp:PermitValueRule xsi:type="AND">
+                <RuleReference ref="eduPersonAffiliationValues"/>
+                <RuleReference ref="ScopingRules"/>
+            </afp:PermitValueRule>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="unscoped-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="primary-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+        
+        <afp:AttributeRule attributeID="eppn">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="targeted-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
+        <afp:AttributeRule attributeID="persistent-id">
+            <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
+        </afp:AttributeRule>
+
+        <!-- Catch-all that passes everything else through unmolested. -->
+        <afp:AttributeRule attributeID="*">
+            <afp:PermitValueRule xsi:type="ANY"/>
+        </afp:AttributeRule>
+        
+    </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>
diff --git a/keystone/keystone.conf b/keystone/keystone.conf
index ae08a24..2e85c6a 100644
--- a/keystone/keystone.conf
+++ b/keystone/keystone.conf
@@ -1,6 +1,7 @@
 [DEFAULT]
 
 verbose = true
+log_file = /var/log/keystone/keystone.log
 
 [database]
 connection = mysql+pymysql://keystone:keystone@mariadb/keystone
@@ -8,5 +9,15 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone
 [token]
 provider = fernet
 
+[auth]
+methods = password,token,mapped,openid,saml2
+
+[federation]
+trusted_dashboard = http://merlin.hpc.rug.nl/horizon/auth/websso/
+sso_calback_template = /etc/keystone/sso_calback_template.html
+
+[mapped]
+remote_id_attribute = Shib-Identity-Provider
+
 [identity]
 default_domain_id = default
diff --git a/keystone/routers.py b/keystone/routers.py
new file mode 100644
index 0000000..419dd4e
--- /dev/null
+++ b/keystone/routers.py
@@ -0,0 +1,252 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import functools
+
+from keystone.common import json_home
+from keystone.common import wsgi
+from keystone.federation import controllers
+
+
+build_resource_relation = functools.partial(
+    json_home.build_v3_extension_resource_relation,
+    extension_name='OS-FEDERATION', extension_version='1.0')
+
+build_parameter_relation = functools.partial(
+    json_home.build_v3_extension_parameter_relation,
+    extension_name='OS-FEDERATION', extension_version='1.0')
+
+IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id')
+PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation(
+    parameter_name='protocol_id')
+SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id')
+
+
+class Routers(wsgi.RoutersBase):
+    """API Endpoints for the Federation extension.
+
+    The API looks like::
+
+        PUT /OS-FEDERATION/identity_providers/{idp_id}
+        GET /OS-FEDERATION/identity_providers
+        GET /OS-FEDERATION/identity_providers/{idp_id}
+        DELETE /OS-FEDERATION/identity_providers/{idp_id}
+        PATCH /OS-FEDERATION/identity_providers/{idp_id}
+
+        PUT /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+        GET /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols
+        GET /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+        PATCH /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+        DELETE /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+
+        PUT /OS-FEDERATION/mappings
+        GET /OS-FEDERATION/mappings
+        PATCH /OS-FEDERATION/mappings/{mapping_id}
+        GET /OS-FEDERATION/mappings/{mapping_id}
+        DELETE /OS-FEDERATION/mappings/{mapping_id}
+
+        GET /OS-FEDERATION/projects
+        GET /OS-FEDERATION/domains
+
+        PUT /OS-FEDERATION/service_providers/{sp_id}
+        GET /OS-FEDERATION/service_providers
+        GET /OS-FEDERATION/service_providers/{sp_id}
+        DELETE /OS-FEDERATION/service_providers/{sp_id}
+        PATCH /OS-FEDERATION/service_providers/{sp_id}
+
+        GET /OS-FEDERATION/identity_providers/{idp_id}/
+            protocols/{protocol_id}/auth
+        POST /OS-FEDERATION/identity_providers/{idp_id}/
+            protocols/{protocol_id}/auth
+        GET /auth/OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}/websso
+            ?origin=https%3A//horizon.example.com
+        POST /auth/OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}/websso
+            ?origin=https%3A//horizon.example.com
+
+
+        POST /auth/OS-FEDERATION/saml2
+        POST /auth/OS-FEDERATION/saml2/ecp
+        GET /OS-FEDERATION/saml2/metadata
+
+        GET /auth/OS-FEDERATION/websso/{protocol_id}
+            ?origin=https%3A//horizon.example.com
+
+        POST /auth/OS-FEDERATION/websso/{protocol_id}
+             ?origin=https%3A//horizon.example.com
+
+    """
+
+    def _construct_url(self, suffix):
+        return "/OS-FEDERATION/%s" % suffix
+
+    def append_v3_routers(self, mapper, routers):
+        auth_controller = controllers.Auth()
+        idp_controller = controllers.IdentityProvider()
+        protocol_controller = controllers.FederationProtocol()
+        mapping_controller = controllers.MappingController()
+        project_controller = controllers.ProjectAssignmentV3()
+        domain_controller = controllers.DomainV3()
+        saml_metadata_controller = controllers.SAMLMetadataV3()
+        sp_controller = controllers.ServiceProvider()
+
+        # Identity Provider CRUD operations
+
+        self._add_resource(
+            mapper, idp_controller,
+            path=self._construct_url('identity_providers/{idp_id}'),
+            get_action='get_identity_provider',
+            put_action='create_identity_provider',
+            patch_action='update_identity_provider',
+            delete_action='delete_identity_provider',
+            rel=build_resource_relation(resource_name='identity_provider'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, idp_controller,
+            path=self._construct_url('identity_providers'),
+            get_action='list_identity_providers',
+            rel=build_resource_relation(resource_name='identity_providers'))
+
+        # Protocol CRUD operations
+
+        self._add_resource(
+            mapper, protocol_controller,
+            path=self._construct_url('identity_providers/{idp_id}/protocols/'
+                                     '{protocol_id}'),
+            get_action='get_protocol',
+            put_action='create_protocol',
+            patch_action='update_protocol',
+            delete_action='delete_protocol',
+            rel=build_resource_relation(
+                resource_name='identity_provider_protocol'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, protocol_controller,
+            path=self._construct_url('identity_providers/{idp_id}/protocols'),
+            get_action='list_protocols',
+            rel=build_resource_relation(
+                resource_name='identity_provider_protocols'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+            })
+
+        # Mapping CRUD operations
+
+        self._add_resource(
+            mapper, mapping_controller,
+            path=self._construct_url('mappings/{mapping_id}'),
+            get_action='get_mapping',
+            put_action='create_mapping',
+            patch_action='update_mapping',
+            delete_action='delete_mapping',
+            rel=build_resource_relation(resource_name='mapping'),
+            path_vars={
+                'mapping_id': build_parameter_relation(
+                    parameter_name='mapping_id'),
+            })
+        self._add_resource(
+            mapper, mapping_controller,
+            path=self._construct_url('mappings'),
+            get_action='list_mappings',
+            rel=build_resource_relation(resource_name='mappings'))
+
+        # Service Providers CRUD operations
+
+        self._add_resource(
+            mapper, sp_controller,
+            path=self._construct_url('service_providers/{sp_id}'),
+            get_action='get_service_provider',
+            put_action='create_service_provider',
+            patch_action='update_service_provider',
+            delete_action='delete_service_provider',
+            rel=build_resource_relation(resource_name='service_provider'),
+            path_vars={
+                'sp_id': SP_ID_PARAMETER_RELATION,
+            })
+
+        self._add_resource(
+            mapper, sp_controller,
+            path=self._construct_url('service_providers'),
+            get_action='list_service_providers',
+            rel=build_resource_relation(resource_name='service_providers'))
+
+        self._add_resource(
+            mapper, domain_controller,
+            path=self._construct_url('domains'),
+            new_path='/auth/domains',
+            get_action='list_domains_for_user',
+            rel=build_resource_relation(resource_name='domains'))
+        self._add_resource(
+            mapper, project_controller,
+            path=self._construct_url('projects'),
+            new_path='/auth/projects',
+            get_action='list_projects_for_user',
+            rel=build_resource_relation(resource_name='projects'))
+
+        # Auth operations
+        self._add_resource(
+            mapper, auth_controller,
+            path=self._construct_url('identity_providers/{idp_id}/'
+                                     'protocols/{protocol_id}/auth'),
+            get_post_action='federated_authentication',
+            rel=build_resource_relation(
+                resource_name='identity_provider_protocol_auth'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url('saml2'),
+            post_action='create_saml_assertion',
+            rel=build_resource_relation(resource_name='saml2'))
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url('saml2/ecp'),
+            post_action='create_ecp_assertion',
+            rel=build_resource_relation(resource_name='ecp'))
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url('websso/{protocol_id}'),
+            get_post_action='federated_sso_auth',
+            rel=build_resource_relation(resource_name='websso'),
+            path_vars={
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url(
+                 'identity_providers/{idp_id}/protocols/{protocol_id}/websso'),
+            get_post_action='federated_idp_specific_sso_auth',
+            rel=build_resource_relation(resource_name='identity_providers'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+
+        # Keystone-Identity-Provider metadata endpoint
+        self._add_resource(
+            mapper, saml_metadata_controller,
+            path=self._construct_url('saml2/metadata'),
+            get_action='get_metadata',
+            rel=build_resource_relation(resource_name='metadata'))
diff --git a/keystone/rules.json b/keystone/rules.json
new file mode 100644
index 0000000..0e406a6
--- /dev/null
+++ b/keystone/rules.json
@@ -0,0 +1,20 @@
+[
+    {
+        "local": [
+            {
+                "group_ids": "{1}",
+                "user": {
+                    "name": "{0}"
+                }
+            }
+        ],
+        "remote": [
+            {
+                "type": "REMOTE_USER"
+            },
+            {
+                "type": "openstackGroupEntitlements"
+            }
+        ]
+    }
+]
diff --git a/keystone/run.sh b/keystone/run.sh
new file mode 100755
index 0000000..593b3d5
--- /dev/null
+++ b/keystone/run.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# start nova compute service
+
+chown keystone: /etc/keystone/fernet-keys
+chmod 700 /etc/keystone/fernet-keys
+
+# Start apache
+a2enmod ssl
+apachectl -DFOREGROUND &
+
+chown _shibd: /etc/shibboleth/sp*.pem
+
+shibd -f -F &
+
+# If any process fails, kill the rest.
+# This insures the container stops and systemd will restart it.
+
+wait -n
+pkill -P $$
+
diff --git a/keystone/shibboleth2.xml b/keystone/shibboleth2.xml
new file mode 100644
index 0000000..908dfd1
--- /dev/null
+++ b/keystone/shibboleth2.xml
@@ -0,0 +1,114 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://merlin.hpc.rug.nl"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php">
+              SAML2
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+            
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+        </MetadataProvider>
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
diff --git a/keystone/sso_callback_template.html b/keystone/sso_callback_template.html
new file mode 100644
index 0000000..c6997dc
--- /dev/null
+++ b/keystone/sso_callback_template.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Keystone WebSSO redirect</title>
+  </head>
+  <body>
+     <form id="sso" name="sso" action="$host" method="post">
+       Please wait...
+       <br/>
+       <input type="hidden" name="token" id="token" value="$token"/>
+       <noscript>
+         <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
+            value="If your JavaScript is disabled, please click to continue"/>
+       </noscript>
+     </form>
+     <script type="text/javascript">
+       window.onload = function() {
+         document.forms['sso'].submit();
+       }
+     </script>
+  </body>
+</html>
\ No newline at end of file
diff --git a/keystone/test.php b/keystone/test.php
new file mode 100644
index 0000000..28cd932
--- /dev/null
+++ b/keystone/test.php
@@ -0,0 +1,4 @@
+<html>
+<head><title>Shibboleth test</title></head>
+<body><pre><?php print_r($_SERVER); ?></pre></body>
+</html>