Thanks for asking, Lance.
Yep. The steps are used to create SSO (Single Sign on) for using Google Account to login on OpenStack.
The steps seem not a few. They are as below.
[Environment] CentOS 7.3
1. Login on "Google Developers Console", and set up your own project, which is a "web application".
Note:
1> After the project is created successfully, write down the "client ID" and "client secret". They will be used later.
2> Set "http://demo.sso.org:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect" to "the authorized redirected URL"
2. Set up a PackStack.
3. Run the commands below in the PackStack:
source ~/keystonerc_admin
openstack group create --domain default --description "Federation User Group" federation_group
openstack project create --domain default --description "Federation Demo Project" federation_demo_project
openstack role add --domain default --group federation_group admin
openstack role add --project federation_demo_project --group federation_group admin
openstack identity provider create google --remote-id https://accounts.google.com
cat > /tmp/google-mapping-rules.json <<EOF
[
{
"local": [
{ "group": { "id": "xxx" # Note, this is the group id created by the second command above
}
}
],
[federation]
# Value to be used to obtain the entity ID of the Identity Provider from the
# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
# Provider`). (string value)
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = http://demo.sso.org/dashboard/auth/websso/
5. Install mod_auth_openidc module for Apache
Commands are like below:
7. Append the following to /etc/openstack-dashboard/local_settings
# Enables keystone web single-sign-on if set to True.
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("oidc", _("OpenID Connect"))
)
WEBSSO_INITIAL_CHOICE = "credentials"
8. Run:
systemctl restart httpd
9. Configure the hosts file your laptop (the client to access OpenStack)
For example, if it's Windows, then modify C:\Windows\System32\drivers\etc\hosts
Add the following line:
Then, keep watching /var/log/keystone/keystone.log, you will find a KeyError about user['name'] will be raised when you try to access OpenStack via your Google account.
Thanks for asking, Lance.
Yep. The steps are used to create SSO (Single Sign on) for using Google Account to login on OpenStack.
The steps seem not a few. They are as below.
[Environment] CentOS 7.3
1. Login on "Google Developers Console", and set up your own project, which is a "web application". demo.sso. org:5000/ v3/auth/ OS-FEDERATION/ websso/ oidc/redirect" to "the authorized redirected URL"
Note:
1> After the project is created successfully, write down the "client ID" and "client secret". They will be used later.
2> Set "http://
2. Set up a PackStack.
3. Run the commands below in the PackStack:
source ~/keystonerc_admin demo_project demo_project --group federation_group admin /accounts. google. com
openstack group create --domain default --description "Federation User Group" federation_group
openstack project create --domain default --description "Federation Demo Project" federation_
openstack role add --domain default --group federation_group admin
openstack role add --project federation_
openstack identity provider create google --remote-id https:/
cat > /tmp/google- mapping- rules.json <<EOF
"group" : {
" id": "xxx" # Note, this is the group id created by the second command above
[
{
"local": [
{
}
}
],
"remote": [
"type" : "HTTP_OIDC_ISS",
"any_ one_of" : [
"https:/ /accounts. google. com"
{
]
}
]
}
]
EOF
openstack mapping create google-idp-mapping --rules ./google- mapping- rules.json
openstack federation protocol create oidc --identity-provider google --mapping google-idp-mapping
4. Append/Add the following to the proper section of /etc/keystone.conf
[auth] password, token,oauth1, oidc auth.plugins. mapped. Mapped
# Allowed authentication methods. (list value)
methods = external,
oidc = keystone.
[federation] id_attribute = HTTP_OIDC_ISS dashboard = http:// demo.sso. org/dashboard/ auth/websso/
# Value to be used to obtain the entity ID of the Identity Provider from the
# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
# Provider`). (string value)
remote_
trusted_
5. Install mod_auth_openidc module for Apache
Commands are like below:
wget https:/ /github. com/pingidentit y/mod_auth_ openidc/ releases/ download/ v2.3.0/ cjose-0. 5.1-1.el7. centos. x86_64. rpm /github. com/pingidentit y/mod_auth_ openidc/ releases/ download/ v2.3.0/ mod_auth_ openidc- 2.3.0-1. el7.centos. x86_64. rpm springdale. math.ias. edu/data/ puias/unsupport ed/6/x86_ 64/hiredis- 0.12.1- 1.sdl6. x86_64. rpm
wget https:/
wget http://
yum localinstall -y ./cjose- 0.5.1-1. el7.centos. x86_64. rpm 0.12.1- 1.sdl6. x86_64. rpm openidc- 2.3.0-1. el7.centos. x86_64. rpm
yum localinstall -y ./hiredis-
yum localinstall -y ./mod_auth_
6. Add the following content to /etc/httpd/ conf.d/ 10-keystone_ wsgi_main. conf
<VirtualHost *:5000>
...
OIDCScope "openid email profile"
<Location ~ "/v3/auth/
Require valid-user
</Location>
...
</VirtualHost>
7. Append the following to /etc/openstack- dashboard/ local_settings
# Enables keystone web single-sign-on if set to True. credentials" , _("Keystone Credentials")), INITIAL_ CHOICE = "credentials"
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
("
("oidc", _("OpenID Connect"))
)
WEBSSO_
8. Run:
systemctl restart httpd
9. Configure the hosts file your laptop (the client to access OpenStack) System32\ drivers\ etc\hosts
For example, if it's Windows, then modify C:\Windows\
Add the following line:
<the OpenStack Controller node IP> demo.sso.org
10. Use your favourate web browser to access http:// demo.sso. org
Then, keep watching /var/log/ keystone/ keystone. log, you will find a KeyError about user['name'] will be raised when you try to access OpenStack via your Google account.