Skip to content

Configure Openstack for Single Sign On with Globus

Steven Lee edited this page Feb 4, 2019 · 14 revisions

Register Globus Auth Client

  1. Go to Click on "Register your app with Globus".
  2. Add a new project and app using the following parameters:
    • Scopes: "openid email profile"
    • Redirects: https://<cloud controller public host name>:<keystone port>/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect
      • The default is 5000. Aristotle clouds are encouraged to run keystone on port 8770 because port 5000 is blocked by many ISPs.
    • Native App: leave unchecked
  3. After the app is created, generate a client secret using the "Generate New Client Secret" button. Note down the client ID and client secret.

Globus Auth Documentation

Configure Horizon

  1. Add the following lines to /etc/openstack-dashboard/local_settings:
        ("credentials", _("Keystone Credentials")),
        ("globus", _("Globus Auth")),
        "credentials": ("credentials", "password"),
        "globus": ("globus", "openidc"),
  2. Restart Horizon for change to take affect:
    systemctl restart httpd

Configure Keystone

  1. Configure Keystone to:
    1. run as an apache WSGI web app, and
    2. SSL is enabled because Globus Auth requires SSL for redirect URI.
  2. Create a globus domain:
    openstack domain create globus
  3. Insert the following lines in /etc/httpd/conf.d/10-keystone_wsgi_main.conf:
    LoadModule auth_openidc_module modules/
    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "code"
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL ""
    OIDCClientID "<Globus Auth Client ID>"
    OIDCClientSecret "<Globus Auth Client Secret>"
    OIDCCryptoPassphrase "<random string>"
    OIDCRedirectURI "https://<cloud controller public host name>:5000/v3/OS-FEDERATION/identity_providers/globus/protocols/openidc/auth/redirect"
    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openidc/auth>
        AuthType "openid-connect"
        Require valid-user
    OIDCRedirectURI "https://<cloud controller public host name>:5000/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect"
    <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/openidc/websso>
        AuthType "openid-connect"
        Require valid-user
  4. Insert the following lines in /etc/keystone/keystone.conf:
    methods = password,token,openidc
    remote_id_attribute = HTTP_OIDC_ISS
    federated_domain_name = globus
    trusted_dashboard=https://<cloud controller public host name>/dashboard/auth/websso/
  5. Restart Keystone for changes to take affect.
    systemctl restart httpd
  6. Create globus identity provider:
    openstack identity provider create --remote-id --domain globus globus
  7. Use this script to generate the mapping file from Aristotle user accounts published by the Aristotle portal.
    • Substitute the appropriate aristotle_domain and aristotle_mapping_name.
    • Note: you will need to email with your IP address to request access to Aristotle user accounts.
  8. Set up a cron job to run periodically to update the mapping file. Use the aristotle_user_accounts puppet module as a guide.