17ac571e7a
This patch adds the ability to configure Keystone as a Service Provider (SP) for a Federated Identity Provider (IdP). * New variables to configure Keystone as a service provider are now supported under a root `keystone_sp` variable. Example configurations can be seen in Keystone's defaults file. This configuration includes the list of identity providers and trusted dashboards. (At this time only one identity provider is supported). * Identity provider configuration includes the remote-to-local user mapping and the list of remote attributes the SP can obtain from the IdP. * Shibboleth is installed and configured in the Keystone containers when SP configuration is present. * Horizon is configured for SSO login DocImpact UpgradeImpact Implements: blueprint keystone-federation Change-Id: I78b3d740434ea4b3ca0bd9f144e4a07026be23c6 Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
82 lines
2.7 KiB
Django/Jinja
82 lines
2.7 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
{% set threads = ansible_processor_vcpus|default(2) // 2 %}
|
|
|
|
WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup processes={{ ansible_processor_cores|default(1) }} threads={{ threads if threads > 0 else 1 }}
|
|
|
|
<VirtualHost *:{{ keystone_service_port }}>
|
|
LogLevel {{ keystone_apache_log_level }}
|
|
ErrorLog /var/log/keystone/keystone-apache-error.log
|
|
CustomLog /var/log/keystone/ssl_access.log combined
|
|
Options +FollowSymLinks
|
|
|
|
{% if keystone_ssl_enabled == true -%}
|
|
SSLEngine on
|
|
SSLCertificateFile {{ keystone_ssl_cert }}
|
|
SSLCertificateKeyFile {{ keystone_ssl_key }}
|
|
SSLCACertificatePath {{ keystone_ssl_cert_path }}
|
|
SSLCARevocationPath {{ keystone_ssl_cert_path }}
|
|
SSLVerifyClient optional
|
|
SSLVerifyDepth 10
|
|
SSLCompression Off
|
|
SSLProtocol {{ keystone_ssl_protocol }}
|
|
SSLHonorCipherOrder On
|
|
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
|
SSLOptions +StdEnvVars +ExportCertData
|
|
{% endif %}
|
|
|
|
{% if keystone_sp is defined -%}
|
|
ShibURLScheme {{ keystone_service_publicuri_proto }}
|
|
|
|
<Location /Shibboleth.sso>
|
|
SetHandler shib
|
|
</Location>
|
|
|
|
<Location /v3/auth/OS-FEDERATION/websso/saml2>
|
|
AuthType shibboleth
|
|
ShibRequestSetting requireSession 1
|
|
ShibRequestSetting exportAssertion 1
|
|
ShibRequireSession On
|
|
ShibExportAssertion On
|
|
Require valid-user
|
|
</Location>
|
|
|
|
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
|
ShibRequestSetting requireSession 1
|
|
AuthType shibboleth
|
|
ShibExportAssertion Off
|
|
Require valid-user
|
|
</LocationMatch>
|
|
|
|
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
|
|
{%- endif %}
|
|
|
|
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
|
|
WSGIProcessGroup keystone
|
|
</VirtualHost>
|
|
|
|
<VirtualHost *:{{ keystone_admin_port }}>
|
|
LogLevel {{ keystone_apache_log_level }}
|
|
ErrorLog /var/log/keystone/keystone-apache-error.log
|
|
CustomLog /var/log/keystone/ssl_access.log combined
|
|
Options +FollowSymLinks
|
|
|
|
{% if keystone_ssl_enabled == true -%}
|
|
SSLEngine on
|
|
SSLCertificateFile {{ keystone_ssl_cert }}
|
|
SSLCertificateKeyFile {{ keystone_ssl_key }}
|
|
SSLCACertificatePath {{ keystone_ssl_cert_path }}
|
|
SSLCARevocationPath {{ keystone_ssl_cert_path }}
|
|
SSLVerifyClient optional
|
|
SSLVerifyDepth 10
|
|
SSLCompression Off
|
|
SSLProtocol {{ keystone_ssl_protocol }}
|
|
SSLHonorCipherOrder On
|
|
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
|
|
SSLOptions +StdEnvVars +ExportCertData
|
|
{% endif %}
|
|
|
|
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
|
|
WSGIProcessGroup keystone
|
|
</VirtualHost>
|