Imported all shibboleth stuff from openstack-test05
This commit is contained in:
parent
c6c947ce3c
commit
167d755724
8
keystone/.gitignore
vendored
8
keystone/.gitignore
vendored
@ -1,8 +0,0 @@
|
|||||||
# ---> Vim
|
|
||||||
[._]*.s[a-w][a-z]
|
|
||||||
[._]s[a-w][a-z]
|
|
||||||
*.un~
|
|
||||||
Session.vim
|
|
||||||
.netrwhist
|
|
||||||
*~
|
|
||||||
|
|
@ -13,16 +13,36 @@ RUN set -x \
|
|||||||
&& apt-get -y update \
|
&& apt-get -y update \
|
||||||
&& apt-get -y install \
|
&& apt-get -y install \
|
||||||
&& apt-get -y install keystone python-openstackclient \
|
&& apt-get -y install keystone python-openstackclient \
|
||||||
|
&& apt-get -y install libapache2-mod-shib2 \
|
||||||
&& apt-get -y clean
|
&& apt-get -y clean
|
||||||
|
|
||||||
# set admin token TODO: make this a secret
|
# set admin token TODO: make this a secret
|
||||||
# in volume of met env
|
# in volume of met env
|
||||||
COPY keystone.conf /etc/keystone/keystone.conf
|
COPY keystone.conf /etc/keystone/keystone.conf
|
||||||
|
|
||||||
|
COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf
|
||||||
|
|
||||||
|
COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
|
||||||
|
COPY attribute-map.xml /etc/shibboleth/attribute-map.xml
|
||||||
|
COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml
|
||||||
|
|
||||||
|
COPY sso_callback_template.html /etc/keystone/sso_callback_template.html
|
||||||
|
|
||||||
|
RUN mkdir /var/run/shibboleth
|
||||||
|
|
||||||
|
COPY run.sh /etc/run.sh
|
||||||
|
|
||||||
RUN mkdir /etc/keystone/fernet-keys
|
RUN mkdir /etc/keystone/fernet-keys
|
||||||
|
|
||||||
RUN chown keystone: /etc/keystone/fernet-keys
|
RUN chown keystone: /etc/keystone/fernet-keys
|
||||||
|
|
||||||
|
RUN a2enmod shib2
|
||||||
|
|
||||||
COPY bootstrap.sh /etc/bootstrap.sh
|
COPY bootstrap.sh /etc/bootstrap.sh
|
||||||
|
|
||||||
CMD apachectl -DFOREGROUND
|
# Testing only!!!
|
||||||
|
RUN mkdir -p /var/www/html/secure
|
||||||
|
RUN apt-get -y install php libapache2-mod-php
|
||||||
|
COPY test.php /var/www/html/secure/test.php
|
||||||
|
|
||||||
|
CMD /etc/run.sh
|
||||||
|
126
keystone/apache-keystone.conf
Normal file
126
keystone/apache-keystone.conf
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
LoadModule ssl_module modules/mod_ssl.so
|
||||||
|
|
||||||
|
Listen 5000
|
||||||
|
Listen 35357
|
||||||
|
|
||||||
|
<Location /secure>
|
||||||
|
AuthType shibboleth
|
||||||
|
ShibRequestSetting requireSession 1
|
||||||
|
require valid-user
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
Alias "/secure" "/var/www/html/secure"
|
||||||
|
|
||||||
|
<VirtualHost *:5000>
|
||||||
|
ServerName https://merlin.hpc.rug.nl:5000
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
|
||||||
|
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
|
||||||
|
UseCanonicalName On
|
||||||
|
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||||
|
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||||
|
WSGIProcessGroup keystone-public
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
LimitRequestBody 114688
|
||||||
|
|
||||||
|
# Added for federation.
|
||||||
|
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
|
||||||
|
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
|
||||||
|
ErrorLog /var/log/apache2/keystone.log
|
||||||
|
CustomLog /var/log/apache2/keystone_access.log combined
|
||||||
|
|
||||||
|
<Directory /usr/bin>
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
Require all granted
|
||||||
|
</IfVersion>
|
||||||
|
<IfVersion < 2.4>
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</IfVersion>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
<Location /Shibboleth.sso>
|
||||||
|
SetHandler shib
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
|
||||||
|
ShibRequestSetting requireSession 1
|
||||||
|
AuthType shibboleth
|
||||||
|
ShibExportAssertion Off
|
||||||
|
Require valid-user
|
||||||
|
|
||||||
|
<IfVersion < 2.4>
|
||||||
|
ShibRequireSession On
|
||||||
|
ShibRequireAll On
|
||||||
|
</IfVersion>
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
|
||||||
|
AuthType shibboleth
|
||||||
|
Require valid-user
|
||||||
|
ShibRequestSetting requireSession 1
|
||||||
|
ShibRequireSession On
|
||||||
|
ShibExportAssertion Off
|
||||||
|
</Location>
|
||||||
|
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
|
||||||
|
AuthType shibboleth
|
||||||
|
Require valid-user
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:35357>
|
||||||
|
ServerName https://merlin.hpc.rug.nl:35357
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
|
||||||
|
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
|
||||||
|
UseCanonicalName On
|
||||||
|
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||||
|
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||||
|
WSGIProcessGroup keystone-admin
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
LimitRequestBody 114688
|
||||||
|
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
|
||||||
|
ErrorLog /var/log/apache2/keystone.log
|
||||||
|
CustomLog /var/log/apache2/keystone_access.log combined
|
||||||
|
|
||||||
|
<Directory /usr/bin>
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
Require all granted
|
||||||
|
</IfVersion>
|
||||||
|
<IfVersion < 2.4>
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</IfVersion>
|
||||||
|
</Directory>
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
Alias /identity /usr/bin/keystone-wsgi-public
|
||||||
|
<Location /identity>
|
||||||
|
SetHandler wsgi-script
|
||||||
|
Options +ExecCGI
|
||||||
|
|
||||||
|
WSGIProcessGroup keystone-public
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
Alias /identity_admin /usr/bin/keystone-wsgi-admin
|
||||||
|
<Location /identity_admin>
|
||||||
|
SetHandler wsgi-script
|
||||||
|
Options +ExecCGI
|
||||||
|
|
||||||
|
WSGIProcessGroup keystone-admin
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
</Location>
|
30
keystone/attribute-map.xml
Normal file
30
keystone/attribute-map.xml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
<?xml version="1.0"?>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
|
||||||
|
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
|
||||||
|
</Attribute>
|
||||||
|
<Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/>
|
||||||
|
|
||||||
|
<!-- Added for nikhef -->
|
||||||
|
<Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
|
||||||
|
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/>
|
||||||
|
<Attribute name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/>
|
||||||
|
<Attribute name="urn:oid:2.5.4.42" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/>
|
||||||
|
<Attribute name="urn:oid:2.5.4.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/>
|
||||||
|
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/>
|
||||||
|
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/>
|
||||||
|
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/>
|
||||||
|
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/>
|
||||||
|
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/>
|
||||||
|
</Attributes>
|
71
keystone/attribute-policy.xml
Normal file
71
keystone/attribute-policy.xml
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
<afp:AttributeFilterPolicyGroup
|
||||||
|
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
|
||||||
|
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
|
||||||
|
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
|
||||||
|
xmlns:afp="urn:mace:shibboleth:2.0:afp"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
|
||||||
|
<!-- Shared rule for affiliation values. -->
|
||||||
|
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
|
||||||
|
<Rule xsi:type="AttributeValueString" value="faculty"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="student"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="staff"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="alum"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="member"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="affiliate"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="employee"/>
|
||||||
|
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
|
||||||
|
</afp:PermitValueRule>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
|
||||||
|
an AttributeRule for each attribute you want to check.
|
||||||
|
-->
|
||||||
|
<afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/>
|
||||||
|
<!-- # Hacked for Nikhef federation
|
||||||
|
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
|
||||||
|
<Rule xsi:type="NOT">
|
||||||
|
<Rule xsi:type="AttributeValueRegex" regex="@"/>
|
||||||
|
</Rule>
|
||||||
|
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
|
||||||
|
</afp:PermitValueRule>
|
||||||
|
-->
|
||||||
|
<afp:AttributeFilterPolicy>
|
||||||
|
<!-- This policy is in effect in all cases. -->
|
||||||
|
<afp:PolicyRequirementRule xsi:type="ANY"/>
|
||||||
|
|
||||||
|
<!-- Filter out undefined affiliations and ensure only one primary. -->
|
||||||
|
<afp:AttributeRule attributeID="affiliation">
|
||||||
|
<afp:PermitValueRule xsi:type="AND">
|
||||||
|
<RuleReference ref="eduPersonAffiliationValues"/>
|
||||||
|
<RuleReference ref="ScopingRules"/>
|
||||||
|
</afp:PermitValueRule>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
<afp:AttributeRule attributeID="unscoped-affiliation">
|
||||||
|
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
<afp:AttributeRule attributeID="primary-affiliation">
|
||||||
|
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<afp:AttributeRule attributeID="eppn">
|
||||||
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<afp:AttributeRule attributeID="targeted-id">
|
||||||
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
|
||||||
|
<afp:AttributeRule attributeID="persistent-id">
|
||||||
|
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
<!-- Catch-all that passes everything else through unmolested. -->
|
||||||
|
<afp:AttributeRule attributeID="*">
|
||||||
|
<afp:PermitValueRule xsi:type="ANY"/>
|
||||||
|
</afp:AttributeRule>
|
||||||
|
|
||||||
|
</afp:AttributeFilterPolicy>
|
||||||
|
|
||||||
|
</afp:AttributeFilterPolicyGroup>
|
@ -1,6 +1,7 @@
|
|||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
|
|
||||||
verbose = true
|
verbose = true
|
||||||
|
log_file = /var/log/keystone/keystone.log
|
||||||
|
|
||||||
[database]
|
[database]
|
||||||
connection = mysql+pymysql://keystone:keystone@mariadb/keystone
|
connection = mysql+pymysql://keystone:keystone@mariadb/keystone
|
||||||
@ -8,5 +9,15 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone
|
|||||||
[token]
|
[token]
|
||||||
provider = fernet
|
provider = fernet
|
||||||
|
|
||||||
|
[auth]
|
||||||
|
methods = password,token,mapped,openid,saml2
|
||||||
|
|
||||||
|
[federation]
|
||||||
|
trusted_dashboard = http://merlin.hpc.rug.nl/horizon/auth/websso/
|
||||||
|
sso_calback_template = /etc/keystone/sso_calback_template.html
|
||||||
|
|
||||||
|
[mapped]
|
||||||
|
remote_id_attribute = Shib-Identity-Provider
|
||||||
|
|
||||||
[identity]
|
[identity]
|
||||||
default_domain_id = default
|
default_domain_id = default
|
||||||
|
252
keystone/routers.py
Normal file
252
keystone/routers.py
Normal file
@ -0,0 +1,252 @@
|
|||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import functools
|
||||||
|
|
||||||
|
from keystone.common import json_home
|
||||||
|
from keystone.common import wsgi
|
||||||
|
from keystone.federation import controllers
|
||||||
|
|
||||||
|
|
||||||
|
build_resource_relation = functools.partial(
|
||||||
|
json_home.build_v3_extension_resource_relation,
|
||||||
|
extension_name='OS-FEDERATION', extension_version='1.0')
|
||||||
|
|
||||||
|
build_parameter_relation = functools.partial(
|
||||||
|
json_home.build_v3_extension_parameter_relation,
|
||||||
|
extension_name='OS-FEDERATION', extension_version='1.0')
|
||||||
|
|
||||||
|
IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id')
|
||||||
|
PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation(
|
||||||
|
parameter_name='protocol_id')
|
||||||
|
SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id')
|
||||||
|
|
||||||
|
|
||||||
|
class Routers(wsgi.RoutersBase):
|
||||||
|
"""API Endpoints for the Federation extension.
|
||||||
|
|
||||||
|
The API looks like::
|
||||||
|
|
||||||
|
PUT /OS-FEDERATION/identity_providers/{idp_id}
|
||||||
|
GET /OS-FEDERATION/identity_providers
|
||||||
|
GET /OS-FEDERATION/identity_providers/{idp_id}
|
||||||
|
DELETE /OS-FEDERATION/identity_providers/{idp_id}
|
||||||
|
PATCH /OS-FEDERATION/identity_providers/{idp_id}
|
||||||
|
|
||||||
|
PUT /OS-FEDERATION/identity_providers/
|
||||||
|
{idp_id}/protocols/{protocol_id}
|
||||||
|
GET /OS-FEDERATION/identity_providers/
|
||||||
|
{idp_id}/protocols
|
||||||
|
GET /OS-FEDERATION/identity_providers/
|
||||||
|
{idp_id}/protocols/{protocol_id}
|
||||||
|
PATCH /OS-FEDERATION/identity_providers/
|
||||||
|
{idp_id}/protocols/{protocol_id}
|
||||||
|
DELETE /OS-FEDERATION/identity_providers/
|
||||||
|
{idp_id}/protocols/{protocol_id}
|
||||||
|
|
||||||
|
PUT /OS-FEDERATION/mappings
|
||||||
|
GET /OS-FEDERATION/mappings
|
||||||
|
PATCH /OS-FEDERATION/mappings/{mapping_id}
|
||||||
|
GET /OS-FEDERATION/mappings/{mapping_id}
|
||||||
|
DELETE /OS-FEDERATION/mappings/{mapping_id}
|
||||||
|
|
||||||
|
GET /OS-FEDERATION/projects
|
||||||
|
GET /OS-FEDERATION/domains
|
||||||
|
|
||||||
|
PUT /OS-FEDERATION/service_providers/{sp_id}
|
||||||
|
GET /OS-FEDERATION/service_providers
|
||||||
|
GET /OS-FEDERATION/service_providers/{sp_id}
|
||||||
|
DELETE /OS-FEDERATION/service_providers/{sp_id}
|
||||||
|
PATCH /OS-FEDERATION/service_providers/{sp_id}
|
||||||
|
|
||||||
|
GET /OS-FEDERATION/identity_providers/{idp_id}/
|
||||||
|
protocols/{protocol_id}/auth
|
||||||
|
POST /OS-FEDERATION/identity_providers/{idp_id}/
|
||||||
|
protocols/{protocol_id}/auth
|
||||||
|
GET /auth/OS-FEDERATION/identity_providers/
|
||||||
|
{idp_id}/protocols/{protocol_id}/websso
|
||||||
|
?origin=https%3A//horizon.example.com
|
||||||
|
POST /auth/OS-FEDERATION/identity_providers/
|
||||||
|
{idp_id}/protocols/{protocol_id}/websso
|
||||||
|
?origin=https%3A//horizon.example.com
|
||||||
|
|
||||||
|
|
||||||
|
POST /auth/OS-FEDERATION/saml2
|
||||||
|
POST /auth/OS-FEDERATION/saml2/ecp
|
||||||
|
GET /OS-FEDERATION/saml2/metadata
|
||||||
|
|
||||||
|
GET /auth/OS-FEDERATION/websso/{protocol_id}
|
||||||
|
?origin=https%3A//horizon.example.com
|
||||||
|
|
||||||
|
POST /auth/OS-FEDERATION/websso/{protocol_id}
|
||||||
|
?origin=https%3A//horizon.example.com
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
def _construct_url(self, suffix):
|
||||||
|
return "/OS-FEDERATION/%s" % suffix
|
||||||
|
|
||||||
|
def append_v3_routers(self, mapper, routers):
|
||||||
|
auth_controller = controllers.Auth()
|
||||||
|
idp_controller = controllers.IdentityProvider()
|
||||||
|
protocol_controller = controllers.FederationProtocol()
|
||||||
|
mapping_controller = controllers.MappingController()
|
||||||
|
project_controller = controllers.ProjectAssignmentV3()
|
||||||
|
domain_controller = controllers.DomainV3()
|
||||||
|
saml_metadata_controller = controllers.SAMLMetadataV3()
|
||||||
|
sp_controller = controllers.ServiceProvider()
|
||||||
|
|
||||||
|
# Identity Provider CRUD operations
|
||||||
|
|
||||||
|
self._add_resource(
|
||||||
|
mapper, idp_controller,
|
||||||
|
path=self._construct_url('identity_providers/{idp_id}'),
|
||||||
|
get_action='get_identity_provider',
|
||||||
|
put_action='create_identity_provider',
|
||||||
|
patch_action='update_identity_provider',
|
||||||
|
delete_action='delete_identity_provider',
|
||||||
|
rel=build_resource_relation(resource_name='identity_provider'),
|
||||||
|
path_vars={
|
||||||
|
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||||
|
})
|
||||||
|
self._add_resource(
|
||||||
|
mapper, idp_controller,
|
||||||
|
path=self._construct_url('identity_providers'),
|
||||||
|
get_action='list_identity_providers',
|
||||||
|
rel=build_resource_relation(resource_name='identity_providers'))
|
||||||
|
|
||||||
|
# Protocol CRUD operations
|
||||||
|
|
||||||
|
self._add_resource(
|
||||||
|
mapper, protocol_controller,
|
||||||
|
path=self._construct_url('identity_providers/{idp_id}/protocols/'
|
||||||
|
'{protocol_id}'),
|
||||||
|
get_action='get_protocol',
|
||||||
|
put_action='create_protocol',
|
||||||
|
patch_action='update_protocol',
|
||||||
|
delete_action='delete_protocol',
|
||||||
|
rel=build_resource_relation(
|
||||||
|
resource_name='identity_provider_protocol'),
|
||||||
|
path_vars={
|
||||||
|
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||||
|
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||||
|
})
|
||||||
|
self._add_resource(
|
||||||
|
mapper, protocol_controller,
|
||||||
|
path=self._construct_url('identity_providers/{idp_id}/protocols'),
|
||||||
|
get_action='list_protocols',
|
||||||
|
rel=build_resource_relation(
|
||||||
|
resource_name='identity_provider_protocols'),
|
||||||
|
path_vars={
|
||||||
|
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||||
|
})
|
||||||
|
|
||||||
|
# Mapping CRUD operations
|
||||||
|
|
||||||
|
self._add_resource(
|
||||||
|
mapper, mapping_controller,
|
||||||
|
path=self._construct_url('mappings/{mapping_id}'),
|
||||||
|
get_action='get_mapping',
|
||||||
|
put_action='create_mapping',
|
||||||
|
patch_action='update_mapping',
|
||||||
|
delete_action='delete_mapping',
|
||||||
|
rel=build_resource_relation(resource_name='mapping'),
|
||||||
|
path_vars={
|
||||||
|
'mapping_id': build_parameter_relation(
|
||||||
|
parameter_name='mapping_id'),
|
||||||
|
})
|
||||||
|
self._add_resource(
|
||||||
|
mapper, mapping_controller,
|
||||||
|
path=self._construct_url('mappings'),
|
||||||
|
get_action='list_mappings',
|
||||||
|
rel=build_resource_relation(resource_name='mappings'))
|
||||||
|
|
||||||
|
# Service Providers CRUD operations
|
||||||
|
|
||||||
|
self._add_resource(
|
||||||
|
mapper, sp_controller,
|
||||||
|
path=self._construct_url('service_providers/{sp_id}'),
|
||||||
|
get_action='get_service_provider',
|
||||||
|
put_action='create_service_provider',
|
||||||
|
patch_action='update_service_provider',
|
||||||
|
delete_action='delete_service_provider',
|
||||||
|
rel=build_resource_relation(resource_name='service_provider'),
|
||||||
|
path_vars={
|
||||||
|
'sp_id': SP_ID_PARAMETER_RELATION,
|
||||||
|
})
|
||||||
|
|
||||||
|
self._add_resource(
|
||||||
|
mapper, sp_controller,
|
||||||
|
path=self._construct_url('service_providers'),
|
||||||
|
get_action='list_service_providers',
|
||||||
|
rel=build_resource_relation(resource_name='service_providers'))
|
||||||
|
|
||||||
|
self._add_resource(
|
||||||
|
mapper, domain_controller,
|
||||||
|
path=self._construct_url('domains'),
|
||||||
|
new_path='/auth/domains',
|
||||||
|
get_action='list_domains_for_user',
|
||||||
|
rel=build_resource_relation(resource_name='domains'))
|
||||||
|
self._add_resource(
|
||||||
|
mapper, project_controller,
|
||||||
|
path=self._construct_url('projects'),
|
||||||
|
new_path='/auth/projects',
|
||||||
|
get_action='list_projects_for_user',
|
||||||
|
rel=build_resource_relation(resource_name='projects'))
|
||||||
|
|
||||||
|
# Auth operations
|
||||||
|
self._add_resource(
|
||||||
|
mapper, auth_controller,
|
||||||
|
path=self._construct_url('identity_providers/{idp_id}/'
|
||||||
|
'protocols/{protocol_id}/auth'),
|
||||||
|
get_post_action='federated_authentication',
|
||||||
|
rel=build_resource_relation(
|
||||||
|
resource_name='identity_provider_protocol_auth'),
|
||||||
|
path_vars={
|
||||||
|
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||||
|
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||||
|
})
|
||||||
|
self._add_resource(
|
||||||
|
mapper, auth_controller,
|
||||||
|
path='/auth' + self._construct_url('saml2'),
|
||||||
|
post_action='create_saml_assertion',
|
||||||
|
rel=build_resource_relation(resource_name='saml2'))
|
||||||
|
self._add_resource(
|
||||||
|
mapper, auth_controller,
|
||||||
|
path='/auth' + self._construct_url('saml2/ecp'),
|
||||||
|
post_action='create_ecp_assertion',
|
||||||
|
rel=build_resource_relation(resource_name='ecp'))
|
||||||
|
self._add_resource(
|
||||||
|
mapper, auth_controller,
|
||||||
|
path='/auth' + self._construct_url('websso/{protocol_id}'),
|
||||||
|
get_post_action='federated_sso_auth',
|
||||||
|
rel=build_resource_relation(resource_name='websso'),
|
||||||
|
path_vars={
|
||||||
|
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||||
|
})
|
||||||
|
self._add_resource(
|
||||||
|
mapper, auth_controller,
|
||||||
|
path='/auth' + self._construct_url(
|
||||||
|
'identity_providers/{idp_id}/protocols/{protocol_id}/websso'),
|
||||||
|
get_post_action='federated_idp_specific_sso_auth',
|
||||||
|
rel=build_resource_relation(resource_name='identity_providers'),
|
||||||
|
path_vars={
|
||||||
|
'idp_id': IDP_ID_PARAMETER_RELATION,
|
||||||
|
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
|
||||||
|
})
|
||||||
|
|
||||||
|
# Keystone-Identity-Provider metadata endpoint
|
||||||
|
self._add_resource(
|
||||||
|
mapper, saml_metadata_controller,
|
||||||
|
path=self._construct_url('saml2/metadata'),
|
||||||
|
get_action='get_metadata',
|
||||||
|
rel=build_resource_relation(resource_name='metadata'))
|
20
keystone/rules.json
Normal file
20
keystone/rules.json
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
[
|
||||||
|
{
|
||||||
|
"local": [
|
||||||
|
{
|
||||||
|
"group_ids": "{1}",
|
||||||
|
"user": {
|
||||||
|
"name": "{0}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"remote": [
|
||||||
|
{
|
||||||
|
"type": "REMOTE_USER"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "openstackGroupEntitlements"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
20
keystone/run.sh
Executable file
20
keystone/run.sh
Executable file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# start nova compute service
|
||||||
|
|
||||||
|
chown keystone: /etc/keystone/fernet-keys
|
||||||
|
chmod 700 /etc/keystone/fernet-keys
|
||||||
|
|
||||||
|
# Start apache
|
||||||
|
a2enmod ssl
|
||||||
|
apachectl -DFOREGROUND &
|
||||||
|
|
||||||
|
chown _shibd: /etc/shibboleth/sp*.pem
|
||||||
|
|
||||||
|
shibd -f -F &
|
||||||
|
|
||||||
|
# If any process fails, kill the rest.
|
||||||
|
# This insures the container stops and systemd will restart it.
|
||||||
|
|
||||||
|
wait -n
|
||||||
|
pkill -P $$
|
||||||
|
|
114
keystone/shibboleth2.xml
Normal file
114
keystone/shibboleth2.xml
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
|
||||||
|
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
|
||||||
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||||
|
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||||
|
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||||
|
clockSkew="180">
|
||||||
|
|
||||||
|
<!--
|
||||||
|
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
|
||||||
|
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!--
|
||||||
|
To customize behavior for specific resources on Apache, and to link vhosts or
|
||||||
|
resources to ApplicationOverride settings below, use web server options/commands.
|
||||||
|
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
|
||||||
|
|
||||||
|
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
|
||||||
|
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
|
||||||
|
<ApplicationDefaults entityID="https://merlin.hpc.rug.nl"
|
||||||
|
REMOTE_USER="eppn persistent-id targeted-id">
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
|
||||||
|
You MUST supply an effectively unique handlerURL value for each of your applications.
|
||||||
|
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
|
||||||
|
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
|
||||||
|
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
|
||||||
|
Note that while we default checkAddress to "false", this has a negative impact on the
|
||||||
|
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
|
||||||
|
-->
|
||||||
|
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
|
||||||
|
checkAddress="false" handlerSSL="true" cookieProps="https">
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Configures SSO for a default IdP. To allow for >1 IdP, remove
|
||||||
|
entityID property and adjust discoveryURL to point to discovery service.
|
||||||
|
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
|
||||||
|
You can also override entityID on /Login query string, or in RequestMap/htaccess.
|
||||||
|
-->
|
||||||
|
<SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php">
|
||||||
|
SAML2
|
||||||
|
</SSO>
|
||||||
|
|
||||||
|
<!-- SAML and local-only logout. -->
|
||||||
|
<Logout>SAML2 Local</Logout>
|
||||||
|
|
||||||
|
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
|
||||||
|
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
|
||||||
|
|
||||||
|
<!-- Status reporting service. -->
|
||||||
|
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
|
||||||
|
|
||||||
|
<!-- Session diagnostic service. -->
|
||||||
|
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
|
||||||
|
|
||||||
|
<!-- JSON feed of discovery information. -->
|
||||||
|
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
|
||||||
|
</Sessions>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Allows overriding of error template information/filenames. You can
|
||||||
|
also add attributes with values that can be plugged into the templates.
|
||||||
|
-->
|
||||||
|
<Errors supportContact="root@localhost"
|
||||||
|
helpLocation="/about.html"
|
||||||
|
styleSheet="/shibboleth-sp/main.css"/>
|
||||||
|
|
||||||
|
<!-- Example of remotely supplied batch of signed metadata. -->
|
||||||
|
<MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"
|
||||||
|
backingFilePath="federation-metadata.xml" reloadInterval="7200">
|
||||||
|
</MetadataProvider>
|
||||||
|
|
||||||
|
<!-- Example of locally maintained metadata. -->
|
||||||
|
<!--
|
||||||
|
<MetadataProvider type="XML" file="partner-metadata.xml"/>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- Map to extract attributes from SAML assertions. -->
|
||||||
|
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
|
||||||
|
|
||||||
|
<!-- Use a SAML query if no attributes are supplied during SSO. -->
|
||||||
|
<AttributeResolver type="Query" subjectMatch="true"/>
|
||||||
|
|
||||||
|
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
|
||||||
|
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
|
||||||
|
|
||||||
|
<!-- Simple file-based resolver for using a single keypair. -->
|
||||||
|
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
The default settings can be overridden by creating ApplicationOverride elements (see
|
||||||
|
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
|
||||||
|
Resource requests are mapped by web server commands, or the RequestMapper, to an
|
||||||
|
applicationId setting.
|
||||||
|
|
||||||
|
Example of a second application (for a second vhost) that has a different entityID.
|
||||||
|
Resources on the vhost would map to an applicationId of "admin":
|
||||||
|
-->
|
||||||
|
<!--
|
||||||
|
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
|
||||||
|
-->
|
||||||
|
</ApplicationDefaults>
|
||||||
|
|
||||||
|
<!-- Policies that determine how to process and authenticate runtime messages. -->
|
||||||
|
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
|
||||||
|
|
||||||
|
<!-- Low-level configuration about protocols and bindings available for use. -->
|
||||||
|
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
|
||||||
|
|
||||||
|
</SPConfig>
|
22
keystone/sso_callback_template.html
Normal file
22
keystone/sso_callback_template.html
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||||
|
<head>
|
||||||
|
<title>Keystone WebSSO redirect</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<form id="sso" name="sso" action="$host" method="post">
|
||||||
|
Please wait...
|
||||||
|
<br/>
|
||||||
|
<input type="hidden" name="token" id="token" value="$token"/>
|
||||||
|
<noscript>
|
||||||
|
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
|
||||||
|
value="If your JavaScript is disabled, please click to continue"/>
|
||||||
|
</noscript>
|
||||||
|
</form>
|
||||||
|
<script type="text/javascript">
|
||||||
|
window.onload = function() {
|
||||||
|
document.forms['sso'].submit();
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
4
keystone/test.php
Normal file
4
keystone/test.php
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
<html>
|
||||||
|
<head><title>Shibboleth test</title></head>
|
||||||
|
<body><pre><?php print_r($_SERVER); ?></pre></body>
|
||||||
|
</html>
|
Loading…
Reference in New Issue
Block a user