openstack/openstack-ansible
Code Issues Proposed changes
openstack-ansible/doc/source/install-guide/configure-federation-idp.rst
Major Hayden 8d5343db3c Fix OpenStack-Ansible refs w/o hyphen 
Change-Id: I0809fdbc81d275dc818f0cddb1635cc16185c6f2
2015-12-07 09:45:27 -06:00

78 lines
3.5 KiB
ReStructuredText
Raw Blame History

`Home <index.html>`__ OpenStack-Ansible Installation Guide
Configure Identity Service (keystone) as a federated identity provider
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The identity provider (IdP) configuration for Keystone must be provided in a
dictionary attribute with the key ``keystone_idp``. The following is a
complete example::
keystone_idp:
certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
regen_cert: false
idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
service_providers:
- id: "sp_1"
auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
organization_name: example_company
organization_display_name: Example Corp.
organization_url: example.com
contact_company: example_company
contact_name: John
contact_surname: Smith
contact_email: jsmith@example.com
contact_telephone: 555-55-5555
contact_type: technical
The following list is a reference of all the allowed settings:
* ``certfile`` defines the location and filename of the SSL certificate that
the IdP uses to sign assertions. This file must be in a location that is
accessible to the keystone system user.
* ``keyfile`` defines the location and filename of the SSL private key that
the IdP uses to sign assertions. This file must be in a location that is
accessible to the keystone system user.
* ``self_signed_cert_subject`` is the subject used in the SSL signing
certificate. It is important to note that the common name of the certificate
must match the hostname that is configured in the service provider(s) for
this IdP.
* ``regen_cert`` should normally be set to ``False``. When set to ``True``,
the existing signing certificate will be replaced with a new one. This
setting is added as a convenience mechanism to renew a certificate when it
is close to its expiration date.
* ``idp_entity_id`` is the entity ID. The service providers will
use this as a unique identifier for each IdP. The recommended value for this
setting is ``<keystone-public-endpoint>/OS-FEDERATION/saml2/idp``
* ``idp_sso_endpoint`` is the single sign-on endpoint for this IdP. The
recommended value for this setting is
``<keystone-public-endpoint>/OS-FEDERATION/saml2/sso>``
* ``idp_metadata_path`` is the location and filename where the metadata for
this IdP will be cached. The keystone system user must have access to this
location.
* ``service_providers`` is a list of the known service providers that will be
using this keystone instance as identity provider. For each SP there are
three values that need to be provided: ``id`` is a unique identifier,
``auth_url`` is the authentication endpoint of the SP, and ``sp_url`` is the
endpoint where SAML2 assertions need to be posted.
* ``organization_name``, ``organization_display_name``, ``organization_url``,
``contact_company``, ``contact_name``, ``contact_surname``,
``contact_email``, ``contact_telephone`` and ``contact_type`` are all
settings that describe the identity provider. These settings are all optional.
--------------
.. include:: navigation.txt
View Git Blame Copy Permalink