Chapter 2. Federation using Red Hat OpenStack Platform and Red Hat Single Sign-On

Red Hat supports using Red Hat Single Sign-On as an identity provider for Red Hat OpenStack Platform (RHOSP) so that you can use the same federated solution for single sign-on in RHOSP, that exists in your wider organization.

2.1. Deploying Red Hat OpenStack Platform with Red Hat Single Sign-On

Use the enable-federation-openidc.yaml environment file to deploy Red Hat OpenStack Platform (RHOSP) so that it can be integrated into your federated authentication solution.

Prerequisites

  • You have installed Red Hat OpenStack Platform director.
  • You have a Red Hat Single Sign-On (RH-SSO) federated authentication in your environment.

Procedure

  1. Note your Identity service endpoint. The keystone endpoint is the FQDN value you assign the CloudName parameter in the custom-domain.yaml heat template, with the transport and port number included. The keystone endpoint has the following construction:

    https://<FQDN>:13000
    Note

    If you do not deploy TLS, your Identity service API endpoint is http://<FQDN>:5000. Red Hat recommends deploying TLS with every production deployment of RHOSP.

  2. Provide your SSO administrator with the following redirect URIs:

    https://<FQDN>:13000/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso
    https://<FQDN>:13000/v3/auth/OS-FEDERATION/websso/openid

    In response, your SSO administrator provides you with a ClientID and a ClientSecret.

  3. Copy the enable-federation-openidc.yaml heat template into the stack home directory:

    $ cp /usr/share/openstack-tripleo-heat-templates/environments/enable-federation-openidc.yaml \
    /home/stack/
  4. Edit your copy of the enable-federation-openidc.yaml environment file. Below is a sample configuration:

    parameter_defaults:
      KeystoneAuthMethods: password,token,oauth1,mapped,application_credential,openid1
      KeystoneOpenIdcClientId: <ClientID>2
      KeystoneOpenIdcClientSecret: <ClientSecret>3
      KeystoneOpenIdcCryptoPassphrase: openstack4
      KeystoneOpenIdcIdpName: kcipaIDP5
      KeystoneOpenIdcIntrospectionEndpoint: https://rh-sso.local.com/realms/master/protocol/openid-connect/token/introspect6
      KeystoneOpenIdcProviderMetadataUrl: https://rh-sso.local.com/realms/master/.well-known/openid-configuration7
      KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS8
      KeystoneOpenIdcResponseType: id_token9
      KeystoneTrustedDashboards: https://overcloud.redhat.local/dashboard/auth/websso/10
      WebSSOChoices: [['OIDC', 'OpenID Connect']]11
      WebSSOIDPMapping: {'OIDC': ['kcipaIDP', 'openid']}12
      WebSSOInitialChoice: OIDC
      KeystoneFederationEnable: True
      KeystoneOpenIdcEnable: True
      KeystoneOpenIdcEnableOAuth: True
      WebSSOEnable: True
    1
    A comma delimited list of acceptable methods for authentication.
    2
    Your client ID to use for the OpenID Connect provider handshake. You must get this from your SSO administrator
    3
    The client secret to use for the OpenID Connect provider handshake. You must get this from your SSO administrator after providing your redirect URLs.
    4
    Choose a passphrase to use when encrypting data for OpenID Connect handshake.
    5
    The name associated with the IdP in the Identity service (keystone). The value for this parameter is always kcipaIDP for RH-SSO.
    6
    The Identity service introspection endpoint: https://{FQDN}/realms/<realm>/protocol/openid-connect/token/introspect
    7
    The URL that points to your OpenID Connect provider metadata
    8
    Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
    9
    Response type to be expected from the OpenID Connect provider.
    10
    A dashboard URL trusted for single sign-on, this can also be a comma delimited list.
    11
    Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
    12
    Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
  5. Add the enable-federation-openidc.yaml to the stack with your other environment files and deploy the overcloud:

    (undercloud)$ openstack overcloud deploy --templates \
    -e [your environment files] \
    -e /home/stack/templates/enable-federation-openidc.yaml.yaml

2.2. Integrating Red Hat OpenStack Platform with Red Hat Single Sign-On

After you deploy Red Hat OpenStack Platform (RHOSP) with Red Hat Single Sign-On (RH-SSO) for federation, you must integrate RH-SSO with RHOSP.

Procedure

  1. Create a federated domain:

    $ openstack domain create <federated_domain_name>

    Example output:

    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description |                                  |
    | enabled     | True                             |
    | id          | b493634c9dbf4546a2d1988af181d7c9 |
    | name        | my_domain                        |
    | options     | {}                               |
    | tags        | []                               |
    +-------------+----------------------------------+
  2. Set up the federation identity provider:

    $ openstack identity provider create --remote-id https://<rh-sso_fqdn>:9443/realms/<realm> --domain <domain_name> kcipaIDP

    Replace <rh-sso_fqdn> with the fully qualified domain name for RH-SSO Replace <realm> with the RH-SSO realm. The default realm is master. Replace <federated_domain_name> with the name of the federated domain that you created in step 1.

    Example output:

    +-------------------+-----------------------------------------------------+
    | Field         	| Value                                               |
    +-------------------+-----------------------------------------------------+
    | authorization_ttl | None                                                |
    | description   	| None                                                |
    | domain_id     	| b493634c9dbf4546a2d1988af181d7c9                    |
    | enabled       	| True                                                |
    | id            	| kcipaIDP                                            |
    | remote_ids    	| https://rh-sso.fqdn.local:9443/realms/master        |
    +-------------------+-----------------------------------------------------+
  3. Create a mapping file that is unique to the identity needs of your cloud.

    Example:

 cat > mapping.json << EOF
[
    {
        "local": [
            {
                "user": {
                 "name": "{0}"
                },
                "group": {
                    "domain": {
                     "name": "<federated_domain_name>"1
                    },
                    "name": "<federated_group_name>"2
                }
            }
        ],
        "remote": [
            {
                "type": "OIDC-preferred_username"3
            }
        ]
    }
]
EOF
1
The <federated_domain_name> is the domain you created in step x.
2
Choose a name for the federated_group_name. You will create this in a later step
3
You must use OIDC-preferred_username as the claim id for RH-SSO
  1. Use the mapping file to create the federation mapping rules for RHOSP. In the provided example, mapping rules created from the mapping.json file are named IPAmap:

    openstack mapping create --rules <file> <name>

    For example:

    $ openstack mapping create --rules mapping.json IPAmap
  2. Create a federated group:

    $ openstack group create --domain <federation_domain_name> <federation_group_name>
  3. Create an Identity service (keystone) project:

    $ openstack project create --domain <federation_domain> <federation_project_name>
  4. Add the Identity service federation group to a role:

    $ openstack role add --group <federation_group_name> --group-domain <federation_domain> --project <federation_project_name> --project-domain <federation_domain> member
  5. Create the OpenID federation protocol:

    $ openstack federation protocol create openid --mapping IPAmap --identity-provider kcipaIDP

2.3. Additional resources

For more information on Red Hat Singe Sign-On see the Getting Started Guide