Chapter 3. Configure RH-SSO

The RH-SSO installation process is outside the scope of this guide. It is assumed you have already installed RH-SSO on a node that is situated independently from the Red Hat OpenStack Platform director deployment.

  • The RH-SSO URL will be identified by the $FED_RHSSO_URL variable.
  • RH-SSO supports multi-tenancy, and uses realms to allow for separation between tenants. As a result, RH-SSO operations always occur within the context of a realm. This guide uses the site-specific variable $FED_RHSSO_REALM to identify the RH-SSO realm being used.
  • The RH-SSO realm can either be created ahead of time (as would be typical when RH-SSO is administered by an IT group), or the keycloak-httpd-client-install tool can create it for you if you have administrator privileges on the RH-SSO server.

3.1. Configure the RH-SSO Realm

Once the RH-SSO realm is available, use the RH-SSO web console to configure that realm for user federation against IdM:

  1. Select $FED_RHSSO_REALM from the drop-down list in the upper left corner.
  2. Select User Federation from the left side Configure panel.
  3. From the Add provider ... drop down list in the upper right corner of the User Federation panel, select ldap.
  4. Fill in the following fields with these values, be sure to substitute any $FED_ site-specific variable:

    PropertyValue

    Console Display Name

    Red Hat IDM

    Edit Mode

    READ_ONLY

    Sync Registrations

    Off

    Vendor

    Red Hat Directory Server

    Username LDAP attribute

    uid

    RDN LDAP attribute

    uid

    UUID LDAP attribute

    ipaUniqueID

    User Object Classes

    inetOrgPerson, organizationalPerson

    Connection URL

    LDAPS://$FED_IPA_HOST

    Users DN

    cn=users,cn=accounts,$FED_IPA_BASE_DN

    Authentication Type

    simple

    Bind DN

    uid=rhsso,cn=sysaccounts,cn=etc,$FED_IPA_BASE_DN

    Bind Credential

    $FED_IPA_RHSSO_SERVICE_PASSWD

  5. Use the Test connection and Test authentication buttons to check that user federation is working.
  6. Click Save at the bottom of the User Federation panel to save the new user federation provider.
  7. Click on the Mappers tab at the top of the Red Hat IDM user federation page you just created.
  8. Create a mapper to retrieve the user’s group information; this means that a user’s group memberships will be returned in the SAML assertion. You will be using group membership later to provide authorization in OpenStack.
  9. Click on the Create button in the upper right hand corner of the Mappers page.
  10. On the Add user federation mapper page, select group-ldap-mapper from the Mapper Type drop down list, and give it the name Group Mapper. Fill in the following fields with these values, and be sure to substitute any $FED_ site-specific variable.

    PropertyValue

    LDAP Groups DN

    cn=groups,cn=accounts„$FED_IPA_BASE_DN

    Group Name LDAP Attribute

    cn

    Group Object Classes

    groupOfNames

    Membership LDAP Attribute

    member

    Membership Attribute Type

    DN

    Mode

    READ_ONLY

    User Groups Retrieve Strategy

    GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE

  11. Click Save.

3.2. Add User Attributes for SAML Assertion

The SAML assertion can send to keystone the properties that are bound to the user (for example, user metadata); these are called attributes in SAML. You will need to configure RH-SSO to return the required attributes in the assertion. Then, when keystone receives the SAML assertion, it will map those attributes into user metadata in a manner which keystone can then process. The process of mapping IdP attributes into keystone data is called Federated Mapping and will be covered later in this guide (see Section 4.21, “Create the Mapping File and Upload to Keystone”).

RH-SSO calls the process of adding returned attributes Protocol Mapping. Protocol mapping is a property of the RH-SSO client (for example, the service provider (SP) added to the RH-SSO realm). The process for adding a given attribute to SAML follows a similar process.

In the RH-SSO administration web console:

  1. Select $FED_RHSSO_REALM from the drop-down list in the upper left corner.
  2. Select Clients from the left side Configure panel.
  3. Select the SP client that was setup by keycloak-httpd-client-install. It will be identified by its SAML EntityId.
  4. Select the Mappers tab from the horizontal list of tabs appearing at the top of the client panel.
  5. In the Mappers panel in the upper right are two buttons: Create and Add Builtin. Use one of these buttons to add a protocol mapper to the client.

You can add any required attributes, but for this exercise you will only need the list of groups the user is a member of (because group membership is how you will authorize the user).

3.3. Add Group Information to the Assertion

  1. Click on the Create button in the Mappers panel.
  2. In the Create Protocol Mapper panel select Group list from the Mapper type drop-down list.
  3. Enter Group List as a name in the Name field.
  4. Enter groups as the name of the SAML attribute in the Group attribute name field.

    Note

    This is the name of the attribute as it will appear in the SAML assertion. When the keystone mapper searches for names in the Remote section of the mapping declaration, it is the SAML attribute names it is looking for. Whenever you add an attribute in RH-SSO to be passed in the assertion you will need to specify the SAML attribute name; it is the RH-SSO protocol mapper where that name is defined.

  5. In the SAML Attribute NameFormat field select Basic.
  6. In the Single Group Attribute toggle box select On.
  7. Click Save at the bottom of the panel.
Note

keycloak-httpd-client-install adds a group mapper when it runs.