Skip to content

Configure Openstack for Single Sign On with Globus

Steven Lee edited this page Feb 4, 2019 · 14 revisions

Register Globus Auth Client

  1. Go to https://developers.globus.org. Click on "Register your app with Globus".
  2. Add a new project and app using the following parameters:
    • Scopes: "openid email profile"
    • Redirects: https://<cloud controller public host name>:<keystone port>/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect
      • The default is 5000. Aristotle clouds are encouraged to run keystone on port 8770 because port 5000 is blocked by many ISPs.
    • Native App: leave unchecked
  3. After the app is created, generate a client secret using the "Generate New Client Secret" button. Note down the client ID and client secret.

Globus Auth Documentation

Configure Horizon

  1. Add the following lines to /etc/openstack-dashboard/local_settings:
    WEBSSO_ENABLED = True
    
    WEBSSO_CHOICES = (
        ("credentials", _("Keystone Credentials")),
        ("globus", _("Globus Auth")),
    )
    
    WEBSSO_IDP_MAPPING = {
        "credentials": ("credentials", "password"),
        "globus": ("globus", "openidc"),
    }
    
  2. Restart Horizon for change to take affect:
    systemctl restart httpd
    

Configure Keystone

  1. Configure Keystone to:
    1. run as an apache WSGI web app, and
    2. SSL is enabled because Globus Auth requires SSL for redirect URI.
  2. Create a globus domain:
    openstack domain create globus
    
  3. Insert the following lines in /etc/httpd/conf.d/10-keystone_wsgi_main.conf:
    LoadModule auth_openidc_module modules/mod_auth_openidc.so
    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "code"
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL "https://auth.globus.org/.well-known/openid-configuration"
    OIDCClientID "<Globus Auth Client ID>"
    OIDCClientSecret "<Globus Auth Client Secret>"
    OIDCCryptoPassphrase "<random string>"
    
    OIDCRedirectURI "https://<cloud controller public host name>:5000/v3/OS-FEDERATION/identity_providers/globus/protocols/openidc/auth/redirect"
    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openidc/auth>
        AuthType "openid-connect"
        Require valid-user
    </LocationMatch>
    
    OIDCRedirectURI "https://<cloud controller public host name>:5000/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect"
    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/openidc/websso>
        AuthType "openid-connect"
        Require valid-user
    </LocationMatch>
    
  4. Insert the following lines in /etc/keystone/keystone.conf:
    [auth]
    methods = password,token,openidc
    openidc=keystone.auth.plugins.mapped.Mapped
    
    [federation]
    remote_id_attribute = HTTP_OIDC_ISS
    federated_domain_name = globus
    trusted_dashboard=https://<cloud controller public host name>/dashboard/auth/websso/
    
  5. Restart Keystone for changes to take affect.
    systemctl restart httpd
    
  6. Create globus identity provider:
    openstack identity provider create --remote-id https://auth.globus.org --domain globus globus
    
  7. Use this generate_mapping_from_portal.py script to generate the mapping file from Aristotle user accounts published by the Aristotle portal.
    • Substitute the appropriate aristotle_domain and aristotle_mapping_name.
    • Note: you will need to email help@federatedcloud.org with your IP address to request access to Aristotle user accounts.
  8. Set up a cron job to run generate_mapping_from_portal.py periodically to update the mapping file. Use the aristotle_user_accounts puppet module as a guide.