Test Identity Provider setup¶
This guide shows how to create an Identity Provider that handles the OpenID Connect protocol to authenticate users when using Federation with OpenStack (these configurations must not be used in a production environment).
Keycloak¶
Keycloak is a Java application that implements an Identity Provider handling both OpenID Connect and SAML protocols.
To setup a Keycloak instance for testing is pretty simple with Docker.
Creating the Docker Keycloak instance¶
Run the docker command:
docker run -p 8080:8080 -p 8443:8443 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:latest
This will create a Keycloak instance that has the admin credentials as admin/admin and is listening on port 8080.
After creating the instance, you will need to log in to the Keycloak as administrator and setup the first Identity Provider.
Creating an Identity Provider with Keycloak¶
The following guide assumes that the steps are executed from the same machine (localhost), but you can change the hostname if you want to run it from elsewhere.
In this guide, we will use the ‘new_realm’ as the realm name in Keycloak, so, if you want to use any other realm name, you must to change ‘new_realm’ in the URIs used in the guide and replace the ‘new_realm’ with the realm name that you are using.
Access the admin console on http://localhost:8080/auth/ in the Administration Console option.
Authenticate using the credentials defined in the creation step.
Create a new realm in the http://localhost:8080/auth/admin/master/console/#/create/realm page.
After creating a realm, you will need to create a client to be used by Keystone; to do it, just access http://localhost:8080/auth/admin/master/console/#/create/client/new_realm.
To create a client, you will need to set the client_id (just choose anyone), the protocol (must be openid-connect) and the Root Url (you can leave it blank)
After creating the client, you will need to update some client’s attributes like:
Enable the Implicit flow (this one allows you to use the OpenStack CLI with oidcv3 plugin)
Set Access Type to confidential
Add the Horizon and Keystone URIs to the Valid Redirect URIs. Keystone should be within the ‘/redirect_uri’ path, for example: https://horizon.com/ and https://keystone.com/redirect_uri
Save the changes
Access the client’s Mappers tab to add the user’s attributes that will be shared with the client (Keystone):
In this guide, we will need the following attribute mappers in Keycloak:
name/user attribute/token claim name
mapper type
openstack-user-domain
user attribute
openstack-default-project
user attribute
After creating the client, you will need to create a user in that realm to log in OpenStack via identity federation
To create a user, access http://localhost:8080/auth/admin/master/console/#/create/user/new_realm and fill the form with the user’s data
After creating the user, you can access the tab “Credentials” to set the user’s password
Then, in the tab “Attributes”, you must set the authorization attributes to be used by Keystone, these attributes are defined in the attribute mapping in Keystone
After you create the Identity provider, you will need to get some data from the Identity Provider to configure in Kolla-Ansible
Configuring Kolla Ansible to use the Identity Provider¶
This section is about how one can get the data needed in Setup OIDC via Kolla Ansible.
name: The realm name, in this case it will be “new_realm”
identifier: http://localhost:8080/auth/realms/new_realm/ (again, the “new_realm” is the name of the realm)
certificate_file: This one can be downloaded from http://localhost:8080/auth/admin/master/console/#/realms/new_realm/keys
metadata_folder:
localhost%3A8080%2Fauth%2Frealms%2Fnew_realm.client:
client_id: Access http://localhost:8080/auth/admin/master/console/#/realms/new_realm/clients , and access the client you created for Keystone, copy the Client ID displayed in the page
client_secret: In the same page you got the client_id, access the tab “Credentials” and copy the secret value
localhost%3A8080%2Fauth%2Frealms%2Fnew_realm.provider: Copy the json from http://localhost:8080/auth/realms/new_realm/.well-known/openid-configuration (the “new_realm” is the realm name)
localhost%3A8080%2Fauth%2Frealms%2Fnew_realm.conf: You can leave this file as an empty json “{}”
After you finished the configuration of the Identity Provider, your main configuration should look something like the following:
keystone_identity_providers:
- name: "new_realm"
openstack_domain: "new_domain"
protocol: "openid"
identifier: "http://localhost:8080/auth/realms/new_realm"
public_name: "Authenticate via new_realm"
attribute_mapping: "attribute_mapping_keycloak_new_realm"
metadata_folder: "/root/inDev/meta-idp"
certificate_file: "/root/inDev/certs/LRVweuT51StjMdsna59jKfB3xw0r8Iz1d1J1HeAbmlw.pem"
keystone_identity_mappings:
- name: "attribute_mapping_keycloak_new_realm"
file: "/root/inDev/attr_map/attribute_mapping.json"
Then, after deploying OpenStack, you should be able to log in Horizon using the “Authenticate using” -> “Authenticate via new_realm”, and writing “new_realm.com” in the “E-mail or domain name” field. After that, you will be redirected to a new page to choose the Identity Provider in Keystone. Just click in the link “localhost:8080/auth/realms/new_realm”; this will redirect you to Keycloak (idP) where you will need to log in with the user that you created. If the user’s attributes in Keycloak are ok, the user will be created in OpenStack and you will be able to log in Horizon.
Attribute mapping¶
This section shows how to create the attribute mapping to map an Identity Provider user to a Keystone user (ephemeral).
The ‘OIDC-’ prefix in the remote types is defined in the ‘OIDCClaimPrefix’ configuration in the wsgi-keystone.conf file; this prefix must be in the attribute mapping as the mod-oidc-wsgi is adding the prefix in the user’s attributes before sending it to Keystone. The attribute ‘openstack-user-domain’ will define the user’s domain in OpenStack and the attribute ‘openstack-default-project’ will define the user’s project in the OpenStack (the user will be assigned with the role ‘member’ in the project)
[
{
"local": [
{
"user": {
"name": "{0}",
"email": "{1}",
"domain": {
"name": "{2}"
}
},
"domain": {
"name": "{2}"
},
"projects": [
{
"name": "{3}",
"roles": [
{
"name": "member"
}
]
}
]
}
],
"remote": [
{
"type": "OIDC-preferred_username"
},
{
"type": "OIDC-email"
},
{
"type": "OIDC-openstack-user-domain"
},
{
"type": "OIDC-openstack-default-project"
}
]
}
]