Allows the configuration of SSO choices for horizon

This change allows enabling the WEBSSO login screen on horizon, which allows to choose from one or more configured SSO providers. Example configuration local_settings: auth: sso: enable: true initial_choice: "acme_oidc" idp_mapping: - name: "acme_oidc" label: "Acme Corporation - OpenID Connect" idp: "myidp1" protocol: "oidc" - name: "acme_saml2" label: "Acme Corporation - SAML2" idp: "myidp2" protocol: "saml2" The initial_choice defaults to "credentials" which is the default Keystone Credential authentication. The values for idp: and protocol: will be used to construct the redirect URL for keystone, which will look like: /v3/OS-FEDERATION/identity_providers/<idp>/protocols/<protocol>/auth Change-Id: I44e11880292176114753274f965bcd0c2cd01302
2018-02-28 00:29:59 +01:00 · 2018-02-28 00:29:59 +01:00 · b129837eaa
commit b129837eaa
parent 62698f7ea7
2 changed files with 31 additions and 6 deletions
--- a/horizon/templates/etc/_local_settings.tpl
+++ b/horizon/templates/etc/_local_settings.tpl
@ -177,21 +177,33 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"

+
+{{- if .Values.local_settings.auth.sso.enabled }}
 # Enables keystone web single-sign-on if set to True.
-#WEBSSO_ENABLED = False
+WEBSSO_ENABLED = True

 # Determines which authentication choice to show as default.
-#WEBSSO_INITIAL_CHOICE = "credentials"
+WEBSSO_INITIAL_CHOICE = "{{ .Values.local_settings.auth.sso.initial_choice }}"

 # The list of authentication mechanisms
 # which include keystone federation protocols.
 # Current supported protocol IDs are 'saml2' and 'oidc'
 # which represent SAML 2.0, OpenID Connect respectively.
 # Do not remove the mandatory credentials mechanism.
-#WEBSSO_CHOICES = (
-#    ("credentials", _("Keystone Credentials")),
-#    ("oidc", _("OpenID Connect")),
-#    ("saml2", _("Security Assertion Markup Language")))
+WEBSSO_CHOICES = (
+    ("credentials", _("Keystone Credentials")),
+  {{- range $i, $sso := .Values.local_settings.auth.idp_mapping }}
+    ({{ $sso.name | quote }}, {{ $sso.label | quote }}),
+  {{- end }}
+)
+
+WEBSSO_IDP_MAPPING = {
+  {{- range $i, $sso := .Values.local_settings.auth.idp_mapping }}
+    {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
+  {{- end }}
+}
+
+{{- end }}

 # Disable SSL certificate checks (useful for self-signed certificates):
 #OPENSTACK_SSL_NO_VERIFY = True
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -66,6 +66,19 @@ local_settings:
    enable_firewall: "True"
    enable_vpn: "True"
    enable_fip_topology_check: "True"
+  auth:
+    sso:
+      enabled: False
+      initial_choice: "credentials"
+    idp_mapping:
+      - name: "acme_oidc"
+        label: "Acme Corporation - OpenID Connect"
+        idp: "myidp1"
+        protocol: "oidc"
+      - name: "acme_saml2"
+        label: "Acme Corporation - SAML2"
+        idp: "myidp2"
+        protocol: "saml2"

 conf:
  ceilometer_policy: