2.7 KiB
2.7 KiB
Home OpenStack-Ansible Installation Guide
Identity Service (keystone) service provider background
In OpenStack-Ansible (OSA) the Identity Service (keystone) is set up to use Apache with mod_wsgi. The additional configuration of keystone as a federation service provider adds Apache mod_shib and configures it to respond to specific locations requests from a client.
Note
There are alternative methods of implementing federation, but at this time only SAML2-based federation using the Shibboleth SP is instrumented in OA.
When requests are sent to those locations, Apache hands off the
request to the shibd service. Only requests pertaining to
authentication are handed off.
The shibd service configuration is primarily handled
through the following files in /etc/shibboleth/ within the
keystone containers:
sp-cert.pem,sp-key.pem: These files are generated on the first keystone container and replicated to the other keystone containers by theos-keystone-install.ymlplaybook. They are used as signing credentials in communications between the SP and the IdP.shibboleth2.xml: This file's contents are written by theos-keystone-install.ymlplaybook based on the configuration of thekeystone_spstructured attribute in the/etc/openstack_deploy/user_variables.ymlfile. It contains the list of trusted IdP's, the entityID by which the SP will be known and some other facilitating configuration.attribute-map.xml: This file's contents are written by theos-keystone-install.ymlplaybook based on the configuration of thekeystone_spstructured attribute in the/etc/openstack_deploy/user_variables.ymlfile. It contains some default attribute mappings which will work for any basic Shibboleth-type IDP setup, but also contains any additional attribute mappings which were set out in thekeystone_spstructured attribute.shibd.logger: This file is left alone by Ansible, but is useful when troubleshooting issues with federated authentication or when trying to discover what attributes published by an IdP are not currently being understood by your SP's attribute map. To enable debug logging, changelog4j.rootCategory=INFOtolog4j.rootCategory=DEBUGat the top of the file. The log file is output to/var/log/shibboleth/shibd.log.
References
- http://docs.openstack.org/developer/keystone/configure_federation.html
- http://docs.openstack.org/developer/keystone/extensions/shibboleth.html
- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration