Differences

This shows you the differences between two versions of the page.

--- progetti:cloud-areapd:egi_federated_cloud:aai_integration:iam_integration [2019/11/15 08:38] – [Setup for ESACO] andreett@infn.it
+++ progetti:cloud-areapd:egi_federated_cloud:aai_integration:iam_integration [2019/11/29 10:29] (current) – [Setup for ESACO] andreett@infn.it
@@ Line 1: / Line 1: @@
+====== IAM Integration =======
+Official documentation for [[https://indigo-dc.gitbooks.io/keystone-with-oidc-documentation/content/admin-iam-conf.html|indigo-IAM]]
+===== Registration of egi-cloud =====
+INDIGO IAM needs to be configured to work with a client, so it need to be registered and some parameters tuned. You have to
+  * Go to the [[https://iam-test.indigo-datacloud.eu/login|test IAM instance]]. You need to be registered by INDIGO AAI Team, so contact them in order to do so.
+  * Register a new client, under Self Service Client Registration.
+  * Introduce the name, we use **INFN-PADOVA-STACK**.
+  * Introduce the allowed redirect URIs ''https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect''.
+  * Once you save it, go to the main tab again and keep a copy of the following fields.
+     * Client ID.
+     * Client Secret.
+     * Registration Endpoint.
+     * Registration Access Token.
+Please keep them in a secure place, as you will need them to configure your Keystone server and further modify your client if needed. The egi-cloud credential are saved on ''/root/indigo_iam_cred.txt'' on controller.
+===== Setup for ESACO =====
+Follow the same procedure described in the previous section and register a client for ESACO in the INDIGO IAM.
+The redirect URI to be defined for the ESACO installed in Padova is https://cld-smact-02.pd.infn.it/esaco/introspect.
+The client parameters (issuer URL, client ID and client secret) must be added in the ESACO servers file.
+For the installation in cld-smact-02 the file is /etc/indigo-services/esaco-servers.yml:
+<code>
+oidc:
+  clients:
+      - issuer-url: https://iam-test.indigo-datacloud.eu/
+        client-id: *************************************
+        client-secret: *********************************************
+</code>
+The ESACO service must be restart, since there's not yet a systemd script for that it is necessary to restart manually the container:
+<code>
+docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml down
+docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml up -d
+</code>
+The authorization service **must grant access** to the introspection endpoint to the ESACO client.
+===== Install and configure mod_auth_openidc =====
+Install mod_auth_openidc from [[https://github.com/pingidentity/mod_auth_openidc/releases|official repository]] and configure it as following.
+Edit  /etc/httpd/conf.d/wsgi-keystone.conf file
+<code bash>
+(...)
+    <VirtualHost *:5000>
+        (...)
+        OIDCClaimPrefix                 "OIDC-"
+        OIDCCryptoPassphrase            <PASSPHRASE>
+        OIDCRedirectURI                 https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect
+        OIDCMetadataDir                 /var/cache/httpd/mod_auth_openidc/metadata
+        OIDCCacheShmEntrySizeMax        65536
+        ###############################################################################################
+        # ESACO introspection endpoint
+        ###############################################################################################
+        OIDCOAuthIntrospectionEndpoint  https://cld-smact-02.pd.infn.it/esaco/introspect
+        ###############################################################################################
+        # GUI
+        ###############################################################################################
+        <Location "/v3/auth/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/websso">
+            AuthType        openid-connect
+            OIDCDiscoverURL https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect?iss=https%3A%2F%2Fiam-test.indigo-datacloud.eu%2F
+            Require         claim iss:https://iam-test.indigo-datacloud.eu/
+            LogLevel        warn
+        </Location>
+        <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
+            AuthType  openid-connect
+            Require   valid-user
+            LogLevel  warn
+        </Location>
+        ###############################################################################################
+        # API
+        ###############################################################################################
+        <Location ~ "/v3/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/auth">
+            AuthType  oauth20
+            Require         claim iss:https://iam-test.indigo-datacloud.eu/
+            LogLevel        warn
+        </Location>
+        (...)
+    </VirtualHost>
+</code>
+where
+<code>
+    <PASSPHRASE>: A password used for crypto purposes. Put something of your choice here.
+</code>
+Check and/or create the directory ''/var/cache/httpd/mod_auth_openidc/metadata''
+Create the json file ''/var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.client'':
+<code>
+{
+  "client_id" : "<CLIENT ID>",
+  "client_secret" : "<CLIENT SECRET>"
+}
+</code>
+where
+<code>
+    <CLIENT ID>: Client ID as obtained from the IAM.
+    <CLIENT SECRET>: Client Secret as obtained from the IAM.
+</code>
+Create the json file ''/var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.conf'':
+<code>
+{
+  "scope" : "openid profile email eduperson_entitlement",
+  "token_endpoint_auth" : "client_secret_basic",
+  "response_type" : "code"
+}
+</code>
+At the end of the whole configuration, after restarting httpd, check if the IdP metadata file from ''https://iam-test.indigo-datacloud.eu/.well-known/openid-configuration'' has been saved in the file
+''/var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.provider''
+Edit the file ''/etc/keystone/keystone.conf''
+<code bash>
+(...)
+[auth]
+methods = password,token,openid,mapped
+[openid]
+remote_id_attribute = HTTP_OIDC_ISS
+[federation]
+remote_id_attribute = HTTP_OIDC_ISS
+trusted_dashboard = https://egi-cloud.pd.infn.it/dashboard/auth/websso/
+sso_callback_template = /etc/keystone/sso_callback_template.html
+</code>
+and ensure that ''/etc/keystone/sso_callback_template.html'' exists.
+===== Mapping for the indigo users =====
+First create a group that will hold all the INDIGO users
+<code bash>
+# openstack group create indigo_group --description "INDIGO Federated users group"
+</code>
+Grant user roles to the whole indigo_group into the indigo project
+<code bash>
+# openstack role add user --group indigo_group --project indigo
+</code>
+Create a ''indigo_mapping_new.json'' file for the mapping
+<code bash>
+[
+  {
+    "local": [
+      {
+        "group": {
+          "id": "203261e6154c492894448b6363764e86"
+        },
+        "user": {
+          "domain": {
+            "id": "default"
+          },
+          "type": "ephemeral",
+          "name": "IAM/{1}/ID={0}",
+	  "email": "{2}"
+        }
+      }
+    ],
+    "remote": [
+      {
+        "type": "OIDC-sub"
+      },
+      {
+        "type": "OIDC-name"
+      },
+      {
+        "type": "OIDC-email"
+      },
+      {
+        "type": "HTTP_OIDC_ISS",
+        "any_one_of": [
+          "https://iam-test.indigo-datacloud.eu/",
+	  "https://dodas-iam.cloud.cnaf.infn.it/"
+        ]
+      }
+    ]
+  }
+]
+</code>
+The ''"https://dodas-iam.cloud.cnaf.infn.it/"'' row enable also the **Dodas-IAM** istance.
+Load the mapping
+<code bash>
+# openstack mapping create indigo_mapping --rules indigo_mapping_new.json
+</code>
+Create the corresponding Identity Provider and protocol
+<code bash>
+# openstack identity provider create indigo-dc --remote-id https://iam-test.indigo-datacloud.eu/
+</code>
+<code bash>
+# openstack federation protocol create openid --identity-provider indigo-dc --mapping indigo_mapping
+</code>
+If you need to change the mapping at a later stage, you can update it by
+<code bash>
+# openstack mapping set --rules indigo_mapping.json indigo_mapping
+</code>
+===== Dashboard configuration =====
+Edit the file ''/etc/openstack-dashboard/local_settings''
+<code bash>
+(...)
+WEBSSO_ENABLED = True
+WEBSSO_INITIAL_CHOICE = "credentials"
+WEBSSO_CHOICES = (
+    ("credentials", _("Keystone Credentials")),
+    ("mapped", _("West-Life SSO")),
+    ("openid", _("INDIGO-DataCloud IAM"))
+)
+</code>
+The ''("mapped", _("West-Life SSO"))'' row enables the authentication via [[https://wiki.infn.it/progetti/cloud-areapd/egi_federated_cloud/aai_integration/west-life_sso_integration|West-life SSO]].