====== IAM Integration =======
Official documentation for [[https://indigo-dc.gitbooks.io/keystone-with-oidc-documentation/content/admin-iam-conf.html|indigo-IAM]]
===== Registration of egi-cloud =====
INDIGO IAM needs to be configured to work with a client, so it need to be registered and some parameters tuned. You have to
* Go to the [[https://iam-test.indigo-datacloud.eu/login|test IAM instance]]. You need to be registered by INDIGO AAI Team, so contact them in order to do so.
* Register a new client, under Self Service Client Registration.
* Introduce the name, we use **INFN-PADOVA-STACK**.
* Introduce the allowed redirect URIs ''https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect''.
* Once you save it, go to the main tab again and keep a copy of the following fields.
* Client ID.
* Client Secret.
* Registration Endpoint.
* Registration Access Token.
Please keep them in a secure place, as you will need them to configure your Keystone server and further modify your client if needed. The egi-cloud credential are saved on ''/root/indigo_iam_cred.txt'' on controller.
===== Setup for ESACO =====
Follow the same procedure described in the previous section and register a client for ESACO in the INDIGO IAM.
The redirect URI to be defined for the ESACO installed in Padova is https://cld-smact-02.pd.infn.it/esaco/introspect.
The client parameters (issuer URL, client ID and client secret) must be added in the ESACO servers file.
For the installation in cld-smact-02 the file is /etc/indigo-services/esaco-servers.yml:
oidc:
clients:
- issuer-url: https://iam-test.indigo-datacloud.eu/
client-id: *************************************
client-secret: *********************************************
The ESACO service must be restart, since there's not yet a systemd script for that it is necessary to restart manually the container:
docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml down
docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml up -d
The authorization service **must grant access** to the introspection endpoint to the ESACO client.
===== Install and configure mod_auth_openidc =====
Install mod_auth_openidc from [[https://github.com/pingidentity/mod_auth_openidc/releases|official repository]] and configure it as following.
Edit /etc/httpd/conf.d/wsgi-keystone.conf file
(...)
(...)
OIDCClaimPrefix "OIDC-"
OIDCCryptoPassphrase
OIDCRedirectURI https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect
OIDCMetadataDir /var/cache/httpd/mod_auth_openidc/metadata
OIDCCacheShmEntrySizeMax 65536
###############################################################################################
# ESACO introspection endpoint
###############################################################################################
OIDCOAuthIntrospectionEndpoint https://cld-smact-02.pd.infn.it/esaco/introspect
###############################################################################################
# GUI
###############################################################################################
AuthType openid-connect
OIDCDiscoverURL https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect?iss=https%3A%2F%2Fiam-test.indigo-datacloud.eu%2F
Require claim iss:https://iam-test.indigo-datacloud.eu/
LogLevel warn
AuthType openid-connect
Require valid-user
LogLevel warn
###############################################################################################
# API
###############################################################################################
AuthType oauth20
Require claim iss:https://iam-test.indigo-datacloud.eu/
LogLevel warn
(...)
where
: A password used for crypto purposes. Put something of your choice here.
Check and/or create the directory ''/var/cache/httpd/mod_auth_openidc/metadata''
Create the json file ''/var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.client'':
{
"client_id" : "",
"client_secret" : ""
}
where
: Client ID as obtained from the IAM.
: Client Secret as obtained from the IAM.
Create the json file ''/var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.conf'':
{
"scope" : "openid profile email eduperson_entitlement",
"token_endpoint_auth" : "client_secret_basic",
"response_type" : "code"
}
At the end of the whole configuration, after restarting httpd, check if the IdP metadata file from ''https://iam-test.indigo-datacloud.eu/.well-known/openid-configuration'' has been saved in the file
''/var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.provider''
Edit the file ''/etc/keystone/keystone.conf''
(...)
[auth]
methods = password,token,openid,mapped
[openid]
remote_id_attribute = HTTP_OIDC_ISS
[federation]
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = https://egi-cloud.pd.infn.it/dashboard/auth/websso/
sso_callback_template = /etc/keystone/sso_callback_template.html
and ensure that ''/etc/keystone/sso_callback_template.html'' exists.
===== Mapping for the indigo users =====
First create a group that will hold all the INDIGO users
# openstack group create indigo_group --description "INDIGO Federated users group"
Grant user roles to the whole indigo_group into the indigo project
# openstack role add user --group indigo_group --project indigo
Create a ''indigo_mapping_new.json'' file for the mapping
[
{
"local": [
{
"group": {
"id": "203261e6154c492894448b6363764e86"
},
"user": {
"domain": {
"id": "default"
},
"type": "ephemeral",
"name": "IAM/{1}/ID={0}",
"email": "{2}"
}
}
],
"remote": [
{
"type": "OIDC-sub"
},
{
"type": "OIDC-name"
},
{
"type": "OIDC-email"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://iam-test.indigo-datacloud.eu/",
"https://dodas-iam.cloud.cnaf.infn.it/"
]
}
]
}
]
The ''"https://dodas-iam.cloud.cnaf.infn.it/"'' row enable also the **Dodas-IAM** istance.
Load the mapping
# openstack mapping create indigo_mapping --rules indigo_mapping_new.json
Create the corresponding Identity Provider and protocol
# openstack identity provider create indigo-dc --remote-id https://iam-test.indigo-datacloud.eu/
# openstack federation protocol create openid --identity-provider indigo-dc --mapping indigo_mapping
If you need to change the mapping at a later stage, you can update it by
# openstack mapping set --rules indigo_mapping.json indigo_mapping
===== Dashboard configuration =====
Edit the file ''/etc/openstack-dashboard/local_settings''
(...)
WEBSSO_ENABLED = True
WEBSSO_INITIAL_CHOICE = "credentials"
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("mapped", _("West-Life SSO")),
("openid", _("INDIGO-DataCloud IAM"))
)
The ''("mapped", _("West-Life SSO"))'' row enables the authentication via [[https://wiki.infn.it/progetti/cloud-areapd/egi_federated_cloud/aai_integration/west-life_sso_integration|West-life SSO]].