progetti:cloud-areapd:egi_federated_cloud:aai_integration:iam_integration
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
progetti:cloud-areapd:egi_federated_cloud:aai_integration:iam_integration [2019/11/15 08:38] – [Setup for ESACO] andreett@infn.it | progetti:cloud-areapd:egi_federated_cloud:aai_integration:iam_integration [2019/11/29 10:29] (current) – [Setup for ESACO] andreett@infn.it | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== IAM Integration ======= | ||
+ | Official documentation for [[https:// | ||
+ | |||
+ | ===== Registration of egi-cloud ===== | ||
+ | |||
+ | INDIGO IAM needs to be configured to work with a client, so it need to be registered and some parameters tuned. You have to | ||
+ | |||
+ | * Go to the [[https:// | ||
+ | * Register a new client, under Self Service Client Registration. | ||
+ | * Introduce the name, we use **INFN-PADOVA-STACK**. | ||
+ | * Introduce the allowed redirect URIs '' | ||
+ | * Once you save it, go to the main tab again and keep a copy of the following fields. | ||
+ | * Client ID. | ||
+ | * Client Secret. | ||
+ | * Registration Endpoint. | ||
+ | * Registration Access Token. | ||
+ | |||
+ | Please keep them in a secure place, as you will need them to configure your Keystone server and further modify your client if needed. The egi-cloud credential are saved on ''/ | ||
+ | |||
+ | ===== Setup for ESACO ===== | ||
+ | |||
+ | Follow the same procedure described in the previous section and register a client for ESACO in the INDIGO IAM. | ||
+ | The redirect URI to be defined for the ESACO installed in Padova is https:// | ||
+ | The client parameters (issuer URL, client ID and client secret) must be added in the ESACO servers file. | ||
+ | For the installation in cld-smact-02 the file is / | ||
+ | < | ||
+ | oidc: | ||
+ | clients: | ||
+ | - issuer-url: https:// | ||
+ | client-id: ************************************* | ||
+ | client-secret: | ||
+ | </ | ||
+ | The ESACO service must be restart, since there' | ||
+ | < | ||
+ | docker-compose -f / | ||
+ | docker-compose -f / | ||
+ | </ | ||
+ | |||
+ | The authorization service **must grant access** to the introspection endpoint to the ESACO client. | ||
+ | ===== Install and configure mod_auth_openidc ===== | ||
+ | |||
+ | Install mod_auth_openidc from [[https:// | ||
+ | Edit / | ||
+ | |||
+ | <code bash> | ||
+ | (...) | ||
+ | < | ||
+ | |||
+ | (...) | ||
+ | |||
+ | OIDCClaimPrefix | ||
+ | OIDCCryptoPassphrase | ||
+ | OIDCRedirectURI | ||
+ | OIDCMetadataDir | ||
+ | OIDCCacheShmEntrySizeMax | ||
+ | |||
+ | ############################################################################################### | ||
+ | # ESACO introspection endpoint | ||
+ | ############################################################################################### | ||
+ | OIDCOAuthIntrospectionEndpoint | ||
+ | |||
+ | ############################################################################################### | ||
+ | # GUI | ||
+ | ############################################################################################### | ||
+ | < | ||
+ | AuthType | ||
+ | OIDCDiscoverURL https:// | ||
+ | Require | ||
+ | LogLevel | ||
+ | </ | ||
+ | < | ||
+ | AuthType | ||
+ | Require | ||
+ | LogLevel | ||
+ | </ | ||
+ | |||
+ | ############################################################################################### | ||
+ | # API | ||
+ | ############################################################################################### | ||
+ | < | ||
+ | AuthType | ||
+ | Require | ||
+ | LogLevel | ||
+ | </ | ||
+ | |||
+ | (...) | ||
+ | |||
+ | </ | ||
+ | |||
+ | </ | ||
+ | |||
+ | where | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | Check and/or create the directory ''/ | ||
+ | Create the json file ''/ | ||
+ | < | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | </ | ||
+ | where | ||
+ | < | ||
+ | <CLIENT ID>: Client ID as obtained from the IAM. | ||
+ | <CLIENT SECRET>: Client Secret as obtained from the IAM. | ||
+ | </ | ||
+ | |||
+ | Create the json file ''/ | ||
+ | < | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | At the end of the whole configuration, | ||
+ | ''/ | ||
+ | |||
+ | Edit the file ''/ | ||
+ | <code bash> | ||
+ | (...) | ||
+ | |||
+ | [auth] | ||
+ | |||
+ | methods = password, | ||
+ | |||
+ | [openid] | ||
+ | remote_id_attribute = HTTP_OIDC_ISS | ||
+ | |||
+ | [federation] | ||
+ | |||
+ | remote_id_attribute = HTTP_OIDC_ISS | ||
+ | trusted_dashboard = https:// | ||
+ | sso_callback_template = / | ||
+ | </ | ||
+ | |||
+ | and ensure that ''/ | ||
+ | ===== Mapping for the indigo users ===== | ||
+ | |||
+ | First create a group that will hold all the INDIGO users | ||
+ | |||
+ | <code bash> | ||
+ | # openstack group create indigo_group --description " | ||
+ | </ | ||
+ | |||
+ | Grant user roles to the whole indigo_group into the indigo project | ||
+ | |||
+ | <code bash> | ||
+ | # openstack role add user --group indigo_group --project indigo | ||
+ | </ | ||
+ | |||
+ | Create a '' | ||
+ | <code bash> | ||
+ | [ | ||
+ | { | ||
+ | " | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | } | ||
+ | ], | ||
+ | " | ||
+ | { | ||
+ | " | ||
+ | }, | ||
+ | { | ||
+ | " | ||
+ | }, | ||
+ | { | ||
+ | " | ||
+ | }, | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | ] | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | ] | ||
+ | </ | ||
+ | The ''" | ||
+ | Load the mapping | ||
+ | |||
+ | <code bash> | ||
+ | # openstack mapping create indigo_mapping --rules indigo_mapping_new.json | ||
+ | </ | ||
+ | |||
+ | Create the corresponding Identity Provider and protocol | ||
+ | |||
+ | <code bash> | ||
+ | # openstack identity provider create indigo-dc --remote-id https:// | ||
+ | </ | ||
+ | <code bash> | ||
+ | # openstack federation protocol create openid --identity-provider indigo-dc --mapping indigo_mapping | ||
+ | </ | ||
+ | |||
+ | If you need to change the mapping at a later stage, you can update it by | ||
+ | |||
+ | <code bash> | ||
+ | # openstack mapping set --rules indigo_mapping.json indigo_mapping | ||
+ | </ | ||
+ | |||
+ | ===== Dashboard configuration ===== | ||
+ | |||
+ | Edit the file ''/ | ||
+ | |||
+ | <code bash> | ||
+ | (...) | ||
+ | |||
+ | WEBSSO_ENABLED = True | ||
+ | WEBSSO_INITIAL_CHOICE = " | ||
+ | |||
+ | WEBSSO_CHOICES = ( | ||
+ | (" | ||
+ | (" | ||
+ | (" | ||
+ | ) | ||
+ | </ | ||
+ | |||
+ | The '' |
progetti/cloud-areapd/egi_federated_cloud/aai_integration/iam_integration.txt · Last modified: 2019/11/29 10:29 by andreett@infn.it