-
Notifications
You must be signed in to change notification settings - Fork 0
Configure Openstack for Single Sign On with Globus
Steven Lee edited this page Feb 4, 2019
·
14 revisions
- Go to https://developers.globus.org. Click on "Register your app with Globus".
- Add a new project and app using the following parameters:
- Scopes: "openid email profile"
- Redirects:
https://<cloud controller public host name>:<keystone port>/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect
- The default is 5000. Aristotle clouds are encouraged to run keystone on port 8770 because port 5000 is blocked by many ISPs.
- Native App: leave unchecked
- After the app is created, generate a client secret using the "Generate New Client Secret" button. Note down the client ID and client secret.
- Add the following lines to
/etc/openstack-dashboard/local_settings
:WEBSSO_ENABLED = True WEBSSO_CHOICES = ( ("credentials", _("Keystone Credentials")), ("globus", _("Globus Auth")), ) WEBSSO_IDP_MAPPING = { "credentials": ("credentials", "password"), "globus": ("globus", "openidc"), }
- Restart Horizon for change to take affect:
systemctl restart httpd
- Configure Keystone to:
- run as an apache WSGI web app, and
- SSL is enabled because Globus Auth requires SSL for redirect URI.
- Create a
globus
domain:openstack domain create globus
- Insert the following lines in
/etc/httpd/conf.d/10-keystone_wsgi_main.conf
:LoadModule auth_openidc_module modules/mod_auth_openidc.so OIDCClaimPrefix "OIDC-" OIDCResponseType "code" OIDCScope "openid email profile" OIDCProviderMetadataURL "https://auth.globus.org/.well-known/openid-configuration" OIDCClientID "<Globus Auth Client ID>" OIDCClientSecret "<Globus Auth Client Secret>" OIDCCryptoPassphrase "<random string>" OIDCRedirectURI "https://<cloud controller public host name>:5000/v3/OS-FEDERATION/identity_providers/globus/protocols/openidc/auth/redirect" <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openidc/auth> AuthType "openid-connect" Require valid-user </LocationMatch> OIDCRedirectURI "https://<cloud controller public host name>:5000/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect" <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/openidc/websso> AuthType "openid-connect" Require valid-user </LocationMatch>
- Insert the following lines in
/etc/keystone/keystone.conf
:[auth] methods = password,token,openidc openidc=keystone.auth.plugins.mapped.Mapped [federation] remote_id_attribute = HTTP_OIDC_ISS federated_domain_name = globus trusted_dashboard=https://<cloud controller public host name>/dashboard/auth/websso/
- Restart Keystone for changes to take affect.
systemctl restart httpd
- Create
globus
identity provider:openstack identity provider create --remote-id https://auth.globus.org --domain globus globus
- Use this generate_mapping_from_portal.py script to generate the mapping file from Aristotle user accounts published by the Aristotle portal.
- Substitute the appropriate
aristotle_domain
andaristotle_mapping_name
. - Note: you will need to email help@federatedcloud.org with your IP address to request access to Aristotle user accounts.
- Substitute the appropriate
- Set up a cron job to run generate_mapping_from_portal.py periodically to update the mapping file. Use the
aristotle_user_accounts
puppet module as a guide.