====== West-Life SSO Integration ====== ==== Shibboleth installation ==== Install the required modules


wget -O /etc/yum.repos.d/shibboleth.repo http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
yum -y install shibboleth

Deploy the service certificate file in ///etc/shibboleth/sp-cert.pem// and the related service key file in ///etc/shibboleth/sp-key.pem//. Change the ownership and permissions for those files:


chmod 400 /etc/shibboleth/sp-key.pem
chmod 600 /etc/shibboleth/sp-cert.pem
chown shibd.shibd /etc/shibboleth/sp-key.pem
chown shibd.shibd /etc/shibboleth/sp-cert.pem

The file ///etc/shibboleth/shibboleth2.xml// must contain the following definitions:




    

        

            
              SAML2 SAML1
            

            SAML2 Local

Create the metadata cache directory


mkdir -p /var/cache/shibboleth
chown shibd.shibd /var/cache/shibboleth

Write the Service Metadata file in /etc/shibboleth/egi-cloud-metadata.xml with the following content:




  
    
    
      
        EGI Fed-Cloud INFN-PD
        The EGI Federated Cloud infrastructure operated by INFN in Padova
        https://goc.egi.eu/portal/index.php?Page_Type=Site&id=1024
      
    


    
      https://egi-cloud.pd.infn.it/dashboard
      
      
      
      
    

  

  
    INFN
    EGI Fed-Cloud INFN-PD
    https://goc.egi.eu/portal/index.php?Page_Type=Site&id=1024
  

  
    cloud-support@lists.pd.infn.it

==== Keystone service’s configuration ==== In the file /etc/httpd/conf.d/wsgi-keystone.conf declare the following definitions:






    
        AuthType shibboleth
        Require shib-session
        ShibRequestSetting requireSession 1
        ShibExportAssertion Off
    

    
        AuthType shibboleth
        Require shib-session
        ShibRequestSetting requireSession 1
        ShibExportAssertion Off

Configure the OS-Federation environment:


openstack group create wlife_group
openstack role add --group wlife_group --project wenmr _member_
openstack identity provider create --remote-id https://auth.west-life.eu/proxy/saml2/idp/metadata.php wlifeaai
openstack mapping create --rules /tmp/wlife_mapping.json wlife_mapping
openstack federation protocol create mapped --mapping wlife_mapping --identity-provider wlifeaai

the rule file, /tmp/wlife_mapping.json, contains the following definitions:


[
    {
        "local": [
            {
                "user": { "name": "{0}" },
                "group": {
                    "domain": { "name": "Default" },
                    "name": "wlife_group"
                }
            }
        ],
        "remote": [
            {
                "type": "eppn"
            }
        ]
    }
]

In the Keystone configuration file, /etc/keystone/keystone.conf, declare the following definitions:


[auth]
methods = external,password,token,oauth1,oidc,mapped
oidc = keystone.auth.plugins.mapped.Mapped

[oidc]
remote_id_attribute = HTTP_OIDC_ISS

[mapped]
remote_id_attribute = Shib-Identity-Provider

==== Horizon configuration ==== In the Horizon configuration file, /etc/openstack-dashboard/local_settings, define:


WEBSSO_ENABLED = True
WEBSSO_INITIAL_CHOICE = "credentials"

WEBSSO_CHOICES = (
    ("credentials", _("Keystone Credentials")),
    ("mapped", _("West-Life SSO")),
    ("oidc", _("INDIGO-DataCloud IAM"))
)

Restart all services:


systemctl enable shibd && systemctl start shibd
systemctl restart httpd

==== Register the site to the IdP ==== Send the [[https://egi-cloud.pd.infn.it/Shibboleth.sso/Metadata|metadata]] of the site to the West-Life Identity Provider, as described in [[http://internal-wiki.west-life.eu/index.php/Enabling_SAML2_for_end_services|West-Life SSO guide]]