Table of Contents

IAM Integration

Official documentation for indigo-IAM

Registration of egi-cloud

INDIGO IAM needs to be configured to work with a client, so it need to be registered and some parameters tuned. You have to

Please keep them in a secure place, as you will need them to configure your Keystone server and further modify your client if needed. The egi-cloud credential are saved on /root/indigo_iam_cred.txt on controller.

Setup for ESACO

Follow the same procedure described in the previous section and register a client for ESACO in the INDIGO IAM. The redirect URI to be defined for the ESACO installed in Padova is The client parameters (issuer URL, client ID and client secret) must be added in the ESACO servers file. For the installation in cld-smact-02 the file is /etc/indigo-services/esaco-servers.yml:

      - issuer-url:
        client-id: *************************************
        client-secret: *********************************************

The ESACO service must be restart, since there's not yet a systemd script for that it is necessary to restart manually the container:

docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml down
docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml up -d

The authorization service must grant access to the introspection endpoint to the ESACO client.

Install and configure mod_auth_openidc

Install mod_auth_openidc from official repository and configure it as following. Edit /etc/httpd/conf.d/wsgi-keystone.conf file

    <VirtualHost *:5000>
        OIDCClaimPrefix                 "OIDC-"
        OIDCCryptoPassphrase            <PASSPHRASE>
        OIDCMetadataDir                 /var/cache/httpd/mod_auth_openidc/metadata
        OIDCCacheShmEntrySizeMax        65536
        # ESACO introspection endpoint
        # GUI
        <Location "/v3/auth/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/websso">
            AuthType        openid-connect
            Require         claim iss:
            LogLevel        warn
        <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
            AuthType  openid-connect
            Require   valid-user
            LogLevel  warn
        # API
        <Location ~ "/v3/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/auth">
            AuthType  oauth20
            Require         claim iss:
            LogLevel        warn


    <PASSPHRASE>: A password used for crypto purposes. Put something of your choice here.

Check and/or create the directory /var/cache/httpd/mod_auth_openidc/metadata Create the json file /var/cache/httpd/mod_auth_openidc/metadata/

  "client_id" : "<CLIENT ID>",
  "client_secret" : "<CLIENT SECRET>"


    <CLIENT ID>: Client ID as obtained from the IAM.
    <CLIENT SECRET>: Client Secret as obtained from the IAM.

Create the json file /var/cache/httpd/mod_auth_openidc/metadata/

  "scope" : "openid profile email eduperson_entitlement",
  "token_endpoint_auth" : "client_secret_basic",
  "response_type" : "code"

At the end of the whole configuration, after restarting httpd, check if the IdP metadata file from has been saved in the file /var/cache/httpd/mod_auth_openidc/metadata/

Edit the file /etc/keystone/keystone.conf

methods = password,token,openid,mapped
remote_id_attribute = HTTP_OIDC_ISS
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard =
sso_callback_template = /etc/keystone/sso_callback_template.html

and ensure that /etc/keystone/sso_callback_template.html exists.

Mapping for the indigo users

First create a group that will hold all the INDIGO users

# openstack group create indigo_group --description "INDIGO Federated users group"

Grant user roles to the whole indigo_group into the indigo project

# openstack role add user --group indigo_group --project indigo

Create a indigo_mapping_new.json file for the mapping

    "local": [
        "group": {
          "id": "203261e6154c492894448b6363764e86"
        "user": {
          "domain": {
            "id": "default"
          "type": "ephemeral",
          "name": "IAM/{1}/ID={0}",
	  "email": "{2}"
    "remote": [
        "type": "OIDC-sub"
        "type": "OIDC-name"
        "type": "OIDC-email"
        "type": "HTTP_OIDC_ISS",
        "any_one_of": [

The "" row enable also the Dodas-IAM istance. Load the mapping

# openstack mapping create indigo_mapping --rules indigo_mapping_new.json

Create the corresponding Identity Provider and protocol

# openstack identity provider create indigo-dc --remote-id
# openstack federation protocol create openid --identity-provider indigo-dc --mapping indigo_mapping

If you need to change the mapping at a later stage, you can update it by

# openstack mapping set --rules indigo_mapping.json indigo_mapping

Dashboard configuration

Edit the file /etc/openstack-dashboard/local_settings

    ("credentials", _("Keystone Credentials")),
    ("mapped", _("West-Life SSO")),
    ("openid", _("INDIGO-DataCloud IAM"))

The ("mapped", _("West-Life SSO")) row enables the authentication via West-life SSO.