准备工作
两台Ubuntu16.04机器,分别使用devstack部署Keystone服务。Keystone默认以uwsgi的方式托管在Apache下面。本文的Keystone是2018.04.25的Master代码,保证最新。
根据这两台机器的IP,添加域名映射到
/etc/hosts
。1
210.3.150.135 idphost
10.3.150.136 sphost配置
Keystone as SP
安装libapache2-mod-shib2
1
sudo apt install -y libapache2-mod-shib2
生成公私钥对
1
sudo shib-keygen -f
启用服务
1
sudo a2enmod shib2
配置shibboleth
修改文件
/etc/shibboleth/attribute-map.xml
:1
2
3
4
5
6新增几个属性:
<Attribute id="openstack_project" name="openstack_project"/>
<Attribute id="openstack_project_domain" name="openstack_project_domain"/>
<Attribute id="openstack_roles" name="openstack_roles"/>
<Attribute id="openstack_user" name="openstack_user"/>
<Attribute id="openstack_user_domain" name="openstack_user_domain"/>修改
/etc/shibboleth/shibboleth2.xml
:1
2
3
4
5
6
7
8
9
10
11
12修改几个地方:
...
# SP的名字
<ApplicationDefaults entityID="KeystoneServiceProvider">
...
# IdP的remote_id
<SSO entityID="http://idphost/identity/v3/OS-FEDERATION/mapped/idp" ECP="true">
...
# IdP的saml metadata URL
<MetadataProvider type="XML" uri="http://idphost/identity/v3/OS-FEDERATION/saml2/metadata"
backingFilePath="metadata.xml" reloadInterval="180000" />
...重启shibboleth:
1
sudo service shibd restart
启用Apache重导向。
修改Apache文件
/etc/apache2/sites-available/keystone-wsgi-public.conf
,文件最后加入如下信息。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17ProxyPass /Shibboleth.sso !
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /identity/v3/OS-FEDERATION/identity_providers/KeystoneIdP/protocols/mapped/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On
</IfVersion>
</Location>重启Apache服务
1
service apache2 restart
确保如下配置项在keystone.conf中配置正确:
1
2
3
4
5
6
7
8
9...
[auth]
# methods中要包含mapped
methods = ...., mapped
...
[mapped]
# federation的识别符,表示使用mod-shib2这种方式。
remote_id_attribute = Shib-Identity-Provider
...创建Keystone的对应资源。
创建新的domain、group并绑定角色:
1
2
3
4
5openstack domain create federated_domain
openstack project create federated_project --domain federated_domain
openstack group create federated_users --domain federated_domain
openstack role add --group federated_users --domain federated_domain Member
openstack role add --group federated_users --project federated_project Member创建Mapping:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26cat > rules.json <<EOF
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "federated_domain"
},
"name": "federated_users"
}
}
],
"remote": [
{
"type": "openstack_user"
}
]
}
]
EOF
openstack mapping create --rules rules.json KeystoneIdP_mapping创建Identity Provider:
1
openstack identity provider create KeystoneIdP --remote-id http://idphost/identity/v3/OS-FEDERATION/mapped/idp
创建Protocol:
1
openstack federation protocol create mapped --mapping KeystoneIdP_mapping --identity-provider KeystoneIdP
Keystone as IdP
安装依赖:
1
2sudo apt install -y xmlsec1
sudo pip install pysaml2创建秘钥和证书:
1
openssl req -x509 -newkey rsa:2048 -keyout /etc/keystone/keystone-saml-key.pem -out /etc/keystone/keystone-saml-cert.pem -days 9999 -nodes
配置Keystone:
在keystone.conf中:
1
2
3
4
5
6[saml]
certfile=/etc/keystone/keystone-saml-cert.pem
keyfile=/etc/keystone/keystone-saml-key.pem
idp_entity_id=http://idphost/identity/v3/OS-FEDERATION/mapped/idp
idp_sso_endpoint=http://idphost/identity/v3/OS-FEDERATION/saml2/sso
idp_metadata_path=/etc/keystone/keystone_idp_metadata.xml重启Keystone:
1
service devstack@keystone restart
生成metadta文件。
1
keystone-manage saml_idp_metadata > /etc/keystone/keystone_idp_metadata.xml
创建Service Provider:
1
openstack service provider create --auth-url http://sphost/identity/v3/OS-FEDERATION/identity_providers/KeystoneIdP/protocols/mapped/auth --service-provider-url http://sphost/Shibboleth.sso/SAML2/ECP KeystoneServiceProvider
测试
测试脚本:
1 | import json |
测试流程:
- 获取IdP中admin用户的scoped token
- 用该token在IdP中获取SP需要的saml assertion。
- 访问SP,校验该assertion
- 使用该assertion在SP中生成unscoped token。
总结
Keystone 的Federation配置复杂,任何一步操作不当就可能会引起一系列错误,读者在操作的时候需要仔细。容易出错的地方在于IdP、SP、shibboleth、Apache四者之间数据的配置不一致。
Federation一般常被WebUI封装,通过websso方式实现页面中IDP与SP之间的自动跳转。我将在下一篇文章中介绍如何配置Keysont二和Horizon,使两者串起来,实现websso。